打开靶场后,查看源码即可看到<!--source.php-->
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
public static function checkFile(&$page) //这边有个重要的函数
将传入的参数赋给$page
上传 flie 通过函数赋值给page
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"]; //白名单数组
if (! isset($page) || !is_string($page)) { ///如果$page不存在 直接false
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) { //如果$page的变量存在于$whitelish数组中
return true;
}
$_page = mb_substr( //截取字符串$page到问号前的位置 否则截取所有参数
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) { //$page变量是否存在$whitelist数组中
return true;
}
$_page = urldecode($page); //url解码$page
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file']) //file存在
&& is_string($_REQUEST['file']) //file 为字符串
&& emmm::checkFile($_REQUEST['file']) //file为公共静态函数
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
第四个
if
语句中,先进行url解码再截取,因此我们可以将?经过两次url编码,在服务器端提取参数时解码一次,checkFile函数中解码一次,仍会解码为
'?'
,仍可通过第四个
if
语句校验。(
'?'
两次编码值为
'%253f'
),构造url:
http:
//399fe153-1f62-43d5-a67f-e645a0e7ac66.node3.buuoj.cn/source.php?file=source.php%253f../ffffllllaaaagggg<br><br>经过测试发现无返回值,这可能是因为我们不知道ffffllllaaaagggg