当前位置:网站首页>[actf2020 freshman competition]

[actf2020 freshman competition]

2022-04-23 00:55:00 -There are stars in your eyes-

There are links open tips, Click in again and find a sentence 

Can you find out the flag?

And a parameter passed in later is file=flag.php

http://39f0e8ed-769a-4b4b-84d3-52367874da03.node4.buuoj.cn:81/?file=flag.php

And the title is include, So this must be a problem that the file contains vulnerabilities

Next, let's learn about pseudo protocol

php:// Access individual inputs / Output stream (I/O streams), stay CTF Often used in php://filter and php://input,php://filter be used for Read the source code ,php://input be used for perform php Code .

Here are the functions of common pseudo protocols

agreement effect
php://input Read only stream that can access the requested raw data , stay POST Access in request POST Of data part , stay enctype="multipart/form-data" When php://input It's invalid .
php://output Write only data streams , Allow to use print and echo Write to the output buffer in the same way .
php://fd (>=5.3.6) Allows direct access to the specified file descriptor . for example php://fd/3 Referenced file descriptor 3.
php://memory php://temp (>=5.1.0) A data stream similar to a file wrapper , Allow reading and writing temporary data . The only difference between the two is php://memory Always store data in memory , and php://temp After the amount of memory reaches the predefined limit ( The default is 2MB) Save in temporary file . Decision and of temporary file location sys_get_temp_dir() In the same way .
php://filter (>=5.0.0) A meta wrapper , Designed for filtering applications when data flow is open . For all-in-one (all-in-one) The file function of is very useful , similar readfile()file() and file_get_contents(), There is no chance to apply other filters before the data stream content is read .

php://filter Parameters,

The parameters of the protocol will be passed on the protocol path , Multiple parameters can be passed in one path . Specific reference is as follows :

php://filter Parameters describe
resource=< Data stream to filter > Must be . It specifies the data stream you want to filter .
read=< Read chain filter > optional . You can set one or more filter names , With a pipe (*\ *) Separate .
write=< Write chain filter > optional . You can set one or more filter names , With a pipe (\ ) Separate .
<; Two chain filters > Anything that doesn't read= or write= Prefixed filter lists are applied to read or write chains as appropriate .

  For more information or other pseudo protocols, please refer to PHP Pseudo protocol summary - SegmentFault Think no

structure payload

?file=php://filter/read=convert.base64-encode/resource=flag.php

  Got base64 String re decode You'll get flag

<?php
echo "Can you find out the flag?";
//flag{e3d42595-f7bc-4a09-a43c-c7a7eb6aa3e3}

版权声明
本文为[-There are stars in your eyes-]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204230052114425.html

边栏推荐

猜你喜欢

随机推荐