[Zer0pts2020]Can you guess it?

最新推荐文章于 2022-12-09 08:08:14 发布

K1ose

最新推荐文章于 2022-12-09 08:08:14 发布

阅读量125

点赞数

分类专栏： CTF WEB

本文链接：https://blog.csdn.net/K1ose/article/details/115118833

版权

CTF WEB 专栏收录该内容

18 篇文章 1 订阅

订阅专栏

访问页面，点source看源码；

 <?php
include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
  exit("I don't know what you are thinking, but I won't let you read it :)");
}

if (isset($_GET['source'])) {
  highlight_file(basename($_SERVER['PHP_SELF']));
  exit();
}

$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
  $guess = (string) $_POST['guess'];
  if (hash_equals($secret, $guess)) {
    $message = 'Congratulations! The flag is: ' . FLAG;
  } else {
    $message = 'Wrong.';
  }
}
?>

首先知道flag在config.php中，但是接下来的条件语句做了正则匹配；
$_SERVER['PHP_SELF']返回当前执行的脚本名称，例如：

http://k1ose2jo.com/index.php/example.php

$_SERVER['PHP_SELF']会返回/index.php/example.php

接下来是basename()这个函数；
basename会返回路径文件中的文件名；
如，basename($_SERVER['PHP_SELF'])会返回example.php；

这样，想要输出config.php的内容，还需要通过/config.php?source，需要绕过正则；
直接上128-255的ASCII值来污染；

/index.php/config.php/%99?source

拿到flag；
flag{50a4d60e-9823-42d9-b513-dec749a7ee94}

K1ose

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
[Zer0pts2020]Can you guess it?

访问页面，点source看源码； <?phpinclude 'config.php'; // FLAG is defined in config.phpif (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) { exit("I don't know what you are thinking, but I won't let you read it :)");}if (isset($_GET['source'])) {
复制链接

扫一扫