打开题目,无线索,查看源码,提示source.php
访问,得到源码
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
代码有提到hint.php,尝试访问
flag not here, and flag in ffffllllaaaagggg
再回到source.php,可以发现,我们传递一个参数,若以下条件为真
! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
则
include $_REQUEST['file'];
显然"file=source.php?"即可使"emmm::checkFile($_REQUEST[‘file’])“为真,
但要包含的文件名肯定没有"source.php”,所以尝试目录穿越,即
file=source.php?/../flag
根据hint.php的提示,应该为
file=source.php?/../ffffllllaaaagggg
然而还需要知道的是ffffllllaaaagggg文件的位置,或尝试暴力破解也可得到flag