posture
Construct POC using parameters and php pseudo-protocol:
?filename=php://filter/read=convert.base64-encode/resource=check.php
The principle of constructing POC will not be described in detail, you can refer to: php pseudo-protocol + convert conversion filter actual combat
Obviously the keywords are filtered, so convert the filter, refer to the link above for details
Construct the POC as follows:
?filename=php://filter/convert.iconv.UTF-8.UTF-16/resource=check.php
The echo is as follows:
Explains that we are using the correct filter, but using it incorrectly.
Therefore, cross blasting of converter dictionaries is possible:
After adding the Payload location, select the attack type as cluster bomb, and then set the Payload:
Add dictionaries for Payload sets 1 and 2 respectively
Started blasting and found that the combination of ASCII and UCS-4 was echoed:
The echo content is the logical filter code
And the name of check.php matches the code, so it is guessed that the flag field is in flag.php.
Construct a POC with these two filters:
?filename=php://filter/convert.iconv.ASCII*.UCS-4*/resource=flag.php
Get the flag:
Summarize
The above is the [CTF/Network Security] Offensive and Defense World file, which includes a detailed analysis of (Taishan Cup) problem solving, and examines knowledge points such as php pseudo-protocol, burp blasting, and convert conversion filters. Readers can practice it.
I am Qiu said , see you next time.