[HFCTF2020]BabyUpload解题步骤详解

2022年4月9日01:27:20评论364 views字数 2566阅读8分33秒阅读模式

题目直接给了源代码

<?phperror_reporting(0);session_save_path("/var/babyctf/");session_start();require_once "/flag";highlight_file(__FILE__);if($_SESSION['username'] ==='admin'){    $filename='/var/babyctf/success.txt';    if(file_exists($filename)){            safe_delete($filename);            die($flag);    }}else{    $_SESSION['username'] ='guest';}$direction = filter_input(INPUT_POST, 'direction');$attr = filter_input(INPUT_POST, 'attr');$dir_path = "/var/babyctf/".$attr;if($attr==="private"){    $dir_path .= "/".$_SESSION['username'];}if($direction === "upload"){    try{        if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){            throw new RuntimeException('invalid upload');        }        $file_path = $dir_path."/".$_FILES['up_file']['name'];        $file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);        if(preg_match('/(../|..\\)/', $file_path)){            throw new RuntimeException('invalid file path');        }        @mkdir($dir_path, 0700, TRUE);        if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){            $upload_result = "uploaded";        }else{            throw new RuntimeException('error while saving');        }    } catch (RuntimeException $e) {        $upload_result = $e->getMessage();    }} elseif ($direction === "download") {    try{        $filename = basename(filter_input(INPUT_POST, 'filename'));        $file_path = $dir_path."/".$filename;        if(preg_match('/(../|..\\)/', $file_path)){            throw new RuntimeException('invalid file path');        }        if(!file_exists($file_path)) {            throw new RuntimeException('file not exist');        }        header('Content-Type: application/force-download');        header('Content-Length: '.filesize($file_path));        header('Content-Disposition: attachment; filename="'.substr($filename, 0, -65).'"');        if(readfile($file_path)){            $download_result = "downloaded";        }else{            throw new RuntimeException('error while saving');        }    } catch (RuntimeException $e) {        $download_result = $e->getMessage();    }    exit;}?>

从源代码可以知道获取flag需要自身的session为admin，session目录下有success.txt

首先我们先看session是怎么储存的

[HFCTF2020]BabyUpload解题步骤详解

之后从这里看了其他师傅的wp

得知了不同引擎对session有不同的储存方式

php_binary:存储方式是，键名的长度对应的ASCII字符+键名+经过serialize()函数序列化处理的值

php:存储方式是，键名+竖线+经过serialize()函数序列处理的值

php_serialize(php>5.5.4):存储方式是，经过serialize()函数序列化处理的值

从图中可以知道是php_binary

接下来开始伪造session文件

<?phpini_set('session.serialize_handler', 'php_binary');session_save_path("D:\phpStudy_64\phpstudy_pro\WWW\ctf\");session_start();
$_SESSION['username'] = 'admin';