[Zer0pts2020]Can you guess it? 题解

最后更新时间:2024年05月25日

点击Source得到源码,进行代码审计

<?php
include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
  exit("I don't know what you are thinking, but I won't let you read it :)");
}

if (isset($_GET['source'])) {
  highlight_file(basename($_SERVER['PHP_SELF']));
  exit();
}

$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
  $guess = (string) $_POST['guess'];
  if (hash_equals($secret, $guess)) {
    $message = 'Congratulations! The flag is: ' . FLAG;
  } else {
    $message = 'Wrong.';
  }
}
?>
<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Can you guess it?</title>
  </head>
  <body>
    <h1>Can you guess it?</h1>
    <p>If your guess is correct, I'll give you the flag.</p>
    <p><a href="?source">Source</a></p>
    <hr>
<?php if (isset($message)) { ?>
    <p><?= $message ?></p>
<?php } ?>
    <form action="index.php" method="POST">
      <input type="text" name="guess">
      <input type="submit">
    </form>
  </body>
</html>

随机数部分不存在漏洞,查看highlight_file部分,利用$_SERVER['PHP_SELF']获取从服务器根目录到当前正在执行的脚本的路径信息,并且包括脚本名;然后使用正则筛除结尾为config.php的路径;最后使用basename获取路径的最后部分,高亮显示

查询资料得知,basename函数会删除文件开头的非ASCII码字符,我们可以构造路径使得$_SERVER['PHP_SELF']的结尾为非ASCII码字符,绕过正则匹配,在接下来的basename中该结尾会被删除,使得config.php成为新的结尾,从而被打开

payload
http://6662f3ed-b9e2-4d5b-92d3-53f7c4fe39f4.node5.buuoj.cn:81/index.php/config.php/%ff?source=123

这里要通过index.php来访问config.php,直接访问config.php是不可行的,因为只有在index.php中才可以显示config的源码,从而getflag

声明:大K|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - [Zer0pts2020]Can you guess it? 题解

I'm scared this is all i will ever be...I feel trapped in my own life...I think i've figured it out but in reality i'm as lost as ever...I wish i could choose the memories that stay...please,stay.