Buuctf-Web-[ACTF2020 Freshman Competition]Include problem solutions & summary of ideas

Language 2023-12-17 13:42:53 views: null

Start the drone
Insert image description here

question

  1. File contains vulnerability
  2. PHP pseudo-protocol

Problem solving process

Click "tips"
Insert image description here

The first step - view the URL address and page source code

知识点:File contains vulnerability

According to ?file=flag.php we can infer that there is a file inclusion vulnerability.
The analysis is as follows: The remote PHP file is included in the URL address here, which means that the attacker can pass in arbitrary code.

F12 View page source code, no flag found.
But the file name here is flag.php. It is guessed that the flag is most likely in the source code of the flag.php file.
We can view the source code of flag.php through the PHP pseudo-protocol.

The suffix of PHP files is ".php" (PHP files can contain text, HTML, CSS and PHP code)

Step 2 - Construct the payload

知识点:PHP pseudo-protocol

php://filter can obtain the source code of the specified file. So we use php://filter to construct the payload:
格式:php://filter/convert.base64-encode/resource=文件路径

构造payload:
?file=php://filter/convert.base64-encode/resource=flag.php

What this sentence means is that we use base64 encoding to read the source code of the file flag.php

So what needs to be base64 encoded?
Because when the php://filter stream is combined with the file inclusion function, the php://filter stream will be executed as a php file. So we generally base64 encode it to prevent its execution and read the file source code.
If it is passed in without base64 encoding, flag.php will be executed directly, and we will not be able to see the contents of the file.

Insert image description here
At this time, the page will display the base64-encoded content of the source file flag.php.

Base64 is a common encoding used to convert binary data into printable ASCII characters.

Step 3 - Base64 decode the obtained characters

Insert image description here

Get flag successfully
flag{78f54384-213f-46f9-aba5-63fb4d3b4ab7}

Summary of ideas

Question type:

  1. File contains vulnerability

Steps to do the question:

  1. A file inclusion vulnerability was found by analyzing the URL address.
  2. Use php://filter to construct the payload (base64 encoding) and obtain the encoded content of the file source code.
  3. Perform base64 decoding to obtain file source code

Guess you like

Origin blog.csdn.net/m0_62239233/article/details/133808156
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com