[geek challenge 2019] secret file & file contains common pseudo protocols and gestures

1. Go to the page to see the source code

Find a hint Archive_room.php file , see

Click in to check

Go back to see Archive_room.php Source code , Find out url yes action.php But after coming in, I reset the guide end.php. Capture packets and replay them. Check the corresponding packets and find secr3t.php

Check the source code

2. File contains

Code audit , Here the file can contain and filter some specific characters , however php Not filtered . Include directly first flag.php have a look .

There are files , Classic posture view source code ：php://filter/read=convert.base64-encode/resource=flag.php

base64 Decrypt

find flag

The file contains common protocols （ posture ）

 One 、 agreement ：
1.php://filter  Read the file source code  
	php://filter  The protocol can filter and filter the open data stream , Commonly used to read file source code 
	 When using the file include function to include a file , The code in the file will be executed , If you want to read the source code of the file ,
	 have access to base64 Encode the contents of the document , The encoded file content will not be executed , It's a show 
	 In the page , We use the content in the page base64 decode , You can get the source code of the file 
2.php://input  Arbitrary code execution 
	php://input  Can access the requested raw data , The matching file contains a vulnerability that can post Request body 	
	 The contents in are executed as the contents of the file , So as to realize arbitrary code execution , It should be noted that , When 
	enctype=multipart/form-data when ,php:/input It will not work 
3.data://text/plain  Arbitrary code execution 
	 Form of agreement : data: The resource type ; code , Content 
	data:// The protocol executes the resource type , Make the following content execute as file content , Thus causing any 	
	 Italian code execution 
4.zip://  Cooperate with file upload to open the back door 
	ziip:// The protocol is used to read the files in the compressed package , Can cooperate with file upload to open the back door , obtain 
	webshell take shell.txt Compressed into zip, Then change the suffix to jpg Upload to server , Re pass 
	zip Pseudo protocol to access the files in the compressed package , To link the Trojan horse 
 Two 、 posture ：
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://FilTer/convert.base64-encode/resource=index.php
?page=zip://shell.jpg%23payload.php
?page=data://text/plain;base64,[base64_encode_shell]
?page=expect://id
?page=expect://ls
?page=php://input | POST DATA: