HCTF 2018 web file contains
Right click to find source.php in the element. You can also find this PHP by directory scanning to get the source code:
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
The code also prompts hint.php
The visit resulted in:
flag not here, and flag in ffffllllaaaagggg
After knowing the location of the flag, it is basically determined that the file contains the title. Let's start analyzing the code
Function analysis of code occurrence:
Isset(): the isset() function is used to detect whether the variable is set and non NULL.
is_ string():is_ The string () function is used to detect whether the variable is a string.
in_array(): search for strings and return
if (in_array("Mark", $people))
{
echo "match found";
}
else
{
echo "match not found";
}
mb_substr(): returns part of the string. We learned the substr() function before. It is only for English characters. If you want to split Chinese characters, you need to use mb_substr().
**Note: * * if the start parameter is negative and the length is less than or equal to start, the length is 0.
<? php echo mb_ Substr ("rookie tutorial", 0, 2)// Output: rookie? >, Output 2 from 0mb_strpos(): finds the first occurrence of a string in another string
empty(): used to check whether a variable is empty.
empty() determines whether a variable is considered empty. When a variable does not exist or its value is equal to FALSE, it will be considered as nonexistent. empty() does not generate a warning if the variable does not exist
Program analysis:
if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; }
The if statement checks the variable and requires that $page be a string, otherwise it returns false
if (in_array($page, $whitelist)) { return true; }
if statement determines whether $page exists in the $whitelist array. if it exists, it returns true
$_page = urldecode($page); $_page = mb_substr( #Returns a part of the string $page,0, the content before the position and the interception $_page, 0, mb_strpos($_page . '?', '?') #Finds the first occurrence of a string in another string ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false;
if statement determines whether the intercepted $page exists in the $whitelist array, and intercepts'? 'in $page if the first part exists, return true
4
. if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; }
If statement determines whether the $page decoded and intercepted by the url exists in the $whitelist, and returns true if it exists
If none of the above four if statements returns a value, false is returned. Three if statements can return true. The second statement directly determines that $page is not available
The third statement intercepts'? ' The first part, because? The latter part is parsed into parameters submitted in get mode and cannot be used
In the fourth if statement, the url is decoded first and then intercepted, so we can? After two url encodings, it is decoded once when extracting parameters from the server, and once in the checkFile function, and it will still be decoded as'? ', It can still be verified by the fourth if statement. ('?' twice encoded value is'% 253f '), construct url:
? file=source.php%253f... / ffffllaaaaggggg found no return value after testing. This may be because we don't know where ffffllaaaaggggg files are stored, so we increase... /, and finally get the flag successfully
After the actual test, it can succeed without considering the URL encoding problem:
http://111.200.241.244:60272/?file=source.php?../.../.../.../.../ffffllllaaaagggg http://111.200.241.244:60272/?file=hint.php?../.../.../.../.../ffffllllaaaagggg
Big guys, pay attention. I'll work harder. I'm a new Xiaobai