[BSidesCF 2020] Had a bad day1

Knowledge point: nesting of pseudo-protocols

There are two pictures when you click, but here you should pay attention that when you click on the picture, the URL will pass in a variable

I tried template injection and found that it was not, and then directly constructing a sentence Trojan found that it was not enough, but when you open the picture and add a letter after the incoming variable, you will find that php is automatically added

Try to open index.php with a pseudo protocol, but php does not need to be added because it will be added automatically

Decrypt the base64 and get the php code

You can see that the variable must contain one of the three. At this time, you need to use the nesting of the pseudo-protocol

payload: /index.php?category=php://filter/read=convert.base64-encode/index/resource=flag

Or add to the front

/index.php?category=php://filter/read=index/convert.base64-encode/resource=flag

Decode to get