首先看了界面有home和about,但都没啥东西。也遍历不到.git robots.txt等东西
那就只能看buuctf给的zip文件了,里面有源码
//about.php
<?php
echo "
<h1>I'm Alice.</h1>
<h2>A beginner in web development.</h2>
";
//home.php
<?php
echo "
<div class='jumbotron'>
<h1>Here is Alice's Website!</h1>
<p>Because it has not been developed yet, there are only a few functions.</p>
<p><a class='btn btn-primary btn-lg' href='index.php?action=about.php' role='button'>About Me</a></p>
</div>
";
//index.php
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<title>Wecome to Alice's Website!</title>
<link href="./bootstrap/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Alice's Website</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="index.php?action=home.php">Alice's Website</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="index.php?action=home.php">Home</a></li>
<li><a href="index.php?action=about.php">About</a></li>
</ul>
</div>
</div>
</nav>
<div class="container" style="padding-top: 5%">
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
?>
</div>
</body>
</html>
只有index.php有核心代码
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
?>
所以这道题就很明显,要去利用这个include文件包含函数
要去读取index.php?action=参数
我们直接读取flag即可
/index.php?action=/flag
微信公众号关注【网络安全干货精选】了解更多网安干货知识!
扫一扫
656
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
