phpMyRedis 풀이
2024. 4. 28. 02:07ㆍDreamhack Wargame
728x90
index.php
<?php
include_once "./core.php";
?>
<html>
<head></head>
<link rel="stylesheet" href="/static/bulma.min.css" />
<body>
<div class="container card">
<div class="card-content">
<div class="columns">
<div class="column is-10">
<h1 class="title">phpMyRedis</h1>
</div>
<div>
<div class="column is-2"><a href="/config.php" class="card-footer-item">Config</a></div>
</div>
</div>
<form method="post">
<div class="field">
<label class="label">Command</label>
<div class="control">
<textarea class="textarea" name="cmd"><?=isset($_POST['cmd'])?$_POST['cmd']:'return 1;'?></textarea>
</div>
<label class="checkbox">
<input type="checkbox" name="save">Save
</label>
</div>
<div class="control">
<input class="button is-success" type="submit" value="submit">
</div>
</form>
<?php
if(isset($_POST['cmd'])){
$redis = new Redis();
$redis->connect($REDIS_HOST);
$ret = json_encode($redis->eval($_POST['cmd']));
echo '<h1 class="subtitle">Result</h1>';
echo "<pre>$ret</pre>";
if (!array_key_exists('history_cnt', $_SESSION)) {
$_SESSION['history_cnt'] = 0;
}
$_SESSION['history_'.$_SESSION['history_cnt']] = $_POST['cmd'];
$_SESSION['history_cnt'] += 1;
if(isset($_POST['save'])){
$path = './data/'. md5(session_id());
$data = '> ' . $_POST['cmd'] . PHP_EOL . str_repeat('-',50) . PHP_EOL . $ret;
file_put_contents($path, $data);
echo "saved at : <a target='_blank' href='$path'>$path</a>";
}
}
?>
</div>
</div>
<br/>
<div class="container card">
<div class="card-content">
<div class="columns">
<div class="column is-10">
<h1 class="title">Command History</h1>
</div>
<div class="column is-2"><a href="/reset.php" class="card-footer-item">Reset</a></div>
</div>
<div class="content">
<ul>
<?php
for($i=0; $i<$_SESSION['history_cnt']; $i++){
echo "<li>".$_SESSION['history_'.$i]."</li>";
}
?>
</ul>
</div>
</div>
</div>
</body>
</html>
config.php
<?php
include_once "./core.php";
?>
<html>
<head></head>
<link rel="stylesheet" href="/static/bulma.min.css" />
<body>
<div class="container card">
<div class="card-content">
<div class="columns">
<div class="column is-10">
<h1 class="title">phpMyRedis</h1>
</div>
<div>
<div class="column is-2"><a href="/" class="card-footer-item">Command</a></div>
</div>
</div>
<form method="post">
<label class="label">Config</label>
<div class="field">
<div class="control">
<div class="select">
<select name="option">
<option>GET</option>
<option>SET</option>
</select>
</div>
</div>
</div>
<div class="field">
<label class="label">Key</label>
<div class="control">
<input class="input" type="text" name="key">
</div>
</div>
<div class="field">
<label class="label">Value</label>
<div class="control">
<input class="input" type="text" name="value">
</div>
</div>
<div class="control">
<input class="button is-success" type="submit" value="submit">
</div>
</form>
<?php
if(isset($_POST['option'])){
$redis = new Redis();
$redis->connect($REDIS_HOST);
if($_POST['option'] == 'GET'){
$ret = json_encode($redis->config($_POST['option'], $_POST['key']));
}elseif($_POST['option'] == 'SET'){
$ret = $redis->config($_POST['option'], $_POST['key'], $_POST['value']);
}else{
die('error !');
}
echo '<h1 class="subtitle">Result</h1>';
echo "<pre>$ret</pre>";
}
?>
</div>
</div>
</body>
</html>
core.php
<?php
$REDIS_HOST = 'localhost';
$REDIS_PORT = 6379;
ini_set('session.save_handler', 'redis');
ini_set('session.save_path', "tcp://$REDIS_HOST:$REDIS_PORT");
session_start();
reset.php
<?php
include_once "./core.php";
session_destroy();
header('Location: /');
?>
cmd 파라미터에 들어가는 값을 POST로 받아오고, echo로 $redis->eval()의 결과를 출력해 줍니다
만약 save 옵션이 눌려진 상태라면, ./data/ 하위 경로에 결과를 저장해 줍니다
redis의 파일 변경 주기와 dbfilename을 조작해 주면 cmd 명령어를 실행시킬 수 있을 것 같습니다
이제 redis.call()로 php 쉘을 올리고, test.php로 접속해 줍니다
cmd에는 리눅스 cmd 명령어를 넣어주면 되는데, 구조가 어떻게 되어있는지 모르니까 우선 ls를 넣어주겠습니다
728x90
'Dreamhack Wargame' 카테고리의 다른 글
| [wargame.kr] counting query 풀이 (PW = FLAG 앞 10글자) (0) | 2024.06.01 |
|---|---|
| EZ_command_injection 풀이 (0) | 2024.05.11 |
| sql injection bypass WAF Advanced 풀이 (1) | 2024.04.25 |
| Robot Only 풀이 (0) | 2023.09.05 |
| [CodeEngn] Malware L08 풀이 (0) | 2023.08.30 |