ShallowRiver

php本地文件包含,php伪协议

字数统计: 321阅读时长: 1 min
2019/05/21 Share

Bugku-welcome to bugkuctf

查看源代码,本体牵扯到两个伪协议
首先查看源代码如下:
<?php
$user = $_GET[“txt”];
$file = $_GET[“file”];
$pass = $_GET[“password”];

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  

可以看到我们需要传入一个参数txt,然后服务器判断我们传的txt内容是否等于”welcome to the bugkuctf”
file_get_contents()函数不仅可以放文件名,还可以放php的伪协议,如果把php://input放进去的话,这个函数就会发现是一个伪协议,我们可以使用post传递的数据对这个伪协议文件写入welcom to the bugkuctf

index.php代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php  
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];

if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "不能现在就给你flag哦";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>

hint.php代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php  

class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>

CATALOG
  1. 1. Bugku-welcome to bugkuctf