The CTF introduction of PHP file contains

One.php pseudo-protocol execution code

byAs can be seen from the figure, the include function can be triggered only by sending the url variable through the get request. The initial idea was to directly use the file name of the flag, such as flag.php, etc., and then all failed. Then I thought of the file inclusion vulnerability and exploited phpPseudo agreement.

https://blog.csdn.net/yao_xin_de_yuan/article/details/108326427 php pseudoProtocol introduction

There are two methods here:
1.url=data://text/plain, Find directory by wildcardAll files under

Two files were found, ctf_go_go_goThe file is flag

2. Construct url=data:text/plain,")?> Then use a kitchen knife or ant sword to connect.

The connection is successful, just open the relevant file.

2. Log injection

Title and aboveThe same, but using the php pseudo protocol is to find an error, so it should filter php, and then log injection can be performed.The server can ask nginx, so its log directories are /var/log/nginx/access.log and /var/log/nginx/error.log

Therefore construct url=/var/log/nginx/access.log

It is found that the log will record the request method and user-agent. Because the request method cannot be changed, we can insert the php code at the user-agent, and use bp to change the user-agent field to After sending, it is found that the ua in the log file is empty, this is because the php code will run directly and will not be displayed.Then we can use a kitchen knife or ant sword to connect, but pay attention to the url

After entering, just flip through to find the flag.

3.php pseudo-protocol read file

The title url is as shown, because there is no clearPrompt, so you can use the php pseudo-protocol to read the content of the file and take a look

Construct url: ?file=php://filter/read=convert.base64-encode/resource=flag.php

You can see that the file content is encoded by base64, we decode itClick to get the flag