![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/4-1649409328.gif "[HFCTF2020]BabyUpload解题步骤详解")
题目直接给了源代码
error_reporting(0);session_save_path("/var/babyctf/");session_start();require_once "/flag";highlight_file(__FILE__);if($_SESSION['username'] ==='admin'){$filename='/var/babyctf/success.txt';if(file_exists($filename)){safe_delete($filename);die($flag);}}else{$_SESSION['username'] ='guest';}$direction = filter_input(INPUT_POST, 'direction');$attr = filter_input(INPUT_POST, 'attr');$dir_path = "/var/babyctf/".$attr;if($attr==="private"){$dir_path .= "/".$_SESSION['username'];}if($direction === "upload"){try{if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){throw new RuntimeException('invalid upload');}$file_path = $dir_path."/".$_FILES['up_file']['name'];$file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);if(preg_match('/(../|..\\)/', $file_path)){throw new RuntimeException('invalid file path');}@mkdir($dir_path, 0700, TRUE);if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){$upload_result = "uploaded";}else{throw new RuntimeException('error while saving');}} catch (RuntimeException $e) {$upload_result = $e->getMessage();}} elseif ($direction === "download") {try{$filename = basename(filter_input(INPUT_POST, 'filename'));$file_path = $dir_path."/".$filename;if(preg_match('/(../|..\\)/', $file_path)){throw new RuntimeException('invalid file path');}if(!file_exists($file_path)) {throw new RuntimeException('file not exist');}header('Content-Type: application/force-download');header('Content-Length: '.filesize($file_path));header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');if(readfile($file_path)){$download_result = "downloaded";}else{throw new RuntimeException('error while saving');}} catch (RuntimeException $e) {$download_result = $e->getMessage();}exit;}
从源代码可以知道获取flag需要自身的session为admin,session目录下有success.txt
首先我们先看session是怎么储存的
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/6-1649409331.png "[HFCTF2020]BabyUpload解题步骤详解")
之后从这里看了其他师傅的wp
得知了不同引擎对session有不同的储存方式
php_binary:存储方式是,键名的长度对应的ASCII字符+键名+经过serialize()函数序列化处理的值
php:存储方式是,键名+竖线+经过serialize()函数序列处理的值
php_serialize(php>5.5.4):存储方式是,经过serialize()函数序列化处理的值
从图中可以知道是php_binary
接下来开始伪造session文件
ini_set('session.serialize_handler', 'php_binary');session_save_path("D:\phpStudy_64\phpstudy_pro\WWW\ctf\");session_start();$_SESSION['username'] = 'admin';
得到了sess文件,保留sess,计算session文件的hash值
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/2-1649409332.png "[HFCTF2020]BabyUpload解题步骤详解")
得到hash值:
432b8b09e30c4a75986b719d1312b63a69f1b833ab602c9ad5f0299d1d76a5a4
之后把sess文件和success.txt文件上传
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/1-1649409334.png "[HFCTF2020]BabyUpload解题步骤详解")
在把自身的session修改,刷新页面得到flag
原文来自CSDN博主「Lhehe2020」|侵删
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/10-1649409335.png "[HFCTF2020]BabyUpload解题步骤详解")
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/6-1649409336.png "[HFCTF2020]BabyUpload解题步骤详解")
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/7-1649409337.png "[HFCTF2020]BabyUpload解题步骤详解")
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/2-1649409339.png "[HFCTF2020]BabyUpload解题步骤详解")
。想加入我们就给我们留言吧![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/0-1649409340.png "[HFCTF2020]BabyUpload解题步骤详解")
。![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/9-1649409342.gif "[HFCTF2020]BabyUpload解题步骤详解")
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/3-1649409343.gif "[HFCTF2020]BabyUpload解题步骤详解")
![[HFCTF2020]BabyUpload解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/5-1649409345.png "[HFCTF2020]BabyUpload解题步骤详解")
原文始发于微信公众号(寰宇卫士):[HFCTF2020]BabyUpload解题步骤详解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论