解题
打开网址,查看源码,发现提示1p.html;
试着打开url+1p.html,发现有跳转,用burp抓包查看源码,得到一串字符;
开头推测是被url编码了,用在线工具( UrlEncode编码/UrlDecode解码 - 站长工具 (chinaz.com))解码;
忽略注释内容,根据下面字符串特征,试着用base64解码;
JTIyJTNCaWYoISUyNF9HRVQlNUInaWQnJTVEKSUwQSU3QiUwQSUwOWhlYWRlcignTG9jYXRpb24lM0ElMjBoZWxsby5waHAlM0ZpZCUzRDEnKSUzQiUwQSUwOWV4aXQoKSUzQiUwQSU3RCUwQSUyNGlkJTNEJTI0X0dFVCU1QidpZCclNUQlM0IlMEElMjRhJTNEJTI0X0dFVCU1QidhJyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJ2InJTVEJTNCJTBBaWYoc3RyaXBvcyglMjRhJTJDJy4nKSklMEElN0IlMEElMDllY2hvJTIwJ25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJyUzQiUwQSUwOXJldHVybiUyMCUzQiUwQSU3RCUwQSUyNGRhdGElMjAlM0QlMjAlNDBmaWxlX2dldF9jb250ZW50cyglMjRhJTJDJ3InKSUzQiUwQWlmKCUyNGRhdGElM0QlM0QlMjJidWdrdSUyMGlzJTIwYSUyMG5pY2UlMjBwbGF0ZWZvcm0hJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuKCUyNGIpJTNFNSUyMGFuZCUyMGVyZWdpKCUyMjExMSUyMi5zdWJzdHIoJTI0YiUyQzAlMkMxKSUyQyUyMjExMTQlMjIpJTIwYW5kJTIwc3Vic3RyKCUyNGIlMkMwJTJDMSkhJTNENCklMEElN0IlMEElMDklMjRmbGFnJTIwJTNEJTIwJTIyZmxhZyU3QioqKioqKioqKioqJTdEJTIyJTBBJTdEJTBBZWxzZSUwQSU3QiUwQSUwOXByaW50JTIwJTIybmV2ZXIlMjBuZXZlciUyMG5ldmVyJTIwZ2l2ZSUyMHVwJTIwISEhJTIyJTNCJTBBJTdEJTBBJTBBJTBBJTNGJTNF-->
%22%3Bif(!%24_GET%5B'id'%5D)%0A%7B%0A%09header('Location%3A%20hello.php%3Fid%3D1')%3B%0A%09exit()%3B%0A%7D%0A%24id%3D%24_GET%5B'id'%5D%3B%0A%24a%3D%24_GET%5B'a'%5D%3B%0A%24b%3D%24_GET%5B'b'%5D%3B%0Aif(stripos(%24a%2C'.'))%0A%7B%0A%09echo%20'no%20no%20no%20no%20no%20no%20no'%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20%40file_get_contents(%24a%2C'r')%3B%0Aif(%24data%3D%3D%22bugku%20is%20a%20nice%20plateform!%22%20and%20%24id%3D%3D0%20and%20strlen(%24b)%3E5%20and%20eregi(%22111%22.substr(%24b%2C0%2C1)%2C%221114%22)%20and%20substr(%24b%2C0%2C1)!%3D4)%0A%7B%0A%09%24flag%20%3D%20%22flag%7B***********%7D%22%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20!!!%22%3B%0A%7D%0A%0A%0A%3F%3E
在进行一次url解码,得到一串PHP源码;
"if(!$_GET['id']) //如果无法通过get获得id变量
{
header('Location: hello.php?id=1');//跳转到hello.php文件设置id=1
exit(); //退出脚本。
}
$id=$_GET['id']; //通过get方式获得其他文件的id变量
$a=$_GET['a']; //通过get方式获得其他文件的a变量
$b=$_GET['b']; //通过get方式获得其他文件的b变量
if(stripos($a,'.')) //$a文件中不能有.
{
echo 'no no no no no no no';
return ;
}
$data = @file_get_contents($a,'r'); //将$a文件读入到data中
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
$flag = "flag{***********}"
}
else
{
print "never never never give up !!!";
}
?>
有源码可知:
$data=="bugku is a nice plateform!”
id==0与if(!GET( ′ id ′ )矛盾,所以用id=0e123456绕过,id为其他也可以。
用$a=php://input通过php伪协议去绕过file_get_contents
b的长度大于5,eregi(“111”.substr($b,0,1),“1114”)这个函数是b的正则匹配 ,
substr(b,0,1)!=4这个说明b开头不能为4,所以令$b=*123456
构造http://114.67.246.176:14346/?id=0e123456&a=php://input&b=*123456
访问该playload,用burp抓包,之后添加bugku is a nice plateform!,GO之后就得到了flag值。
遇到的问题
最后用Google HackBer试着提交post要传的参数,运行了几次都没有成功,还没找到原因。之后直接改用burp修改数据包,就得到了flag值,先放着,希望哪天大佬看到能给我解惑一下。
参考文章:
ChaoYue_miku