Bugku-welcome to bugkuctf
查看源代码,本体牵扯到两个伪协议
首先查看源代码如下:
<?php
$user = $_GET[“txt”];
$file = $_GET[“file”];
$pass = $_GET[“password”];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
可以看到我们需要传入一个参数txt,然后服务器判断我们传的txt内容是否等于”welcome to the bugkuctf”
file_get_contents()函数不仅可以放文件名,还可以放php的伪协议,如果把php://input放进去的话,这个函数就会发现是一个伪协议,我们可以使用post传递的数据对这个伪协议文件写入welcom to the bugkuctf
index.php代码如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "不能现在就给你flag哦";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
hint.php代码如下:1
2
3
4
5
6
7
8
9
10
11
12
13<?php
class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>