i spring and autumn "Baidu Cup" CTF competition September field 123

first view the source code, get prompted to say user information in user.php, but we visit user.php| ||I don't get any information, I don't get any clues, see 是得不到任何信息的,得不到任何线索,看writeupGet the prompt, keyword File read vulnerability, backup file

, I will try I visited user.php.bak, got the username information, and then according to the prompt in the login.php comment section, the user password is username+year of birth

obviously needs to use blasting, get the username file as payload, specifically like this: BurpSuite Intrude uses


user.php.bak to get the username and password as payload After entering the page, check the source code: 这里写图片描述

directly use firefox developer tool change page 这里写图片描述

Write a sentence Trojan, upload capture package: 这里写图片描述

传过上去,有Filter, change various suffixes:

php2, php3, php4, php5, phps, pht, phtm, phtml

File name and file content double filtering, after various attempts, get the following page: 这里写图片描述



view.php?file=flag .php, the result is filter "flag"

because the previous question has been flag.phpstore flag, so I tried it for a long time flaflagg.php , finally remove php and get flag, just a simple character filtering bypass, if not replace flag It’s not so easy to replace it with _,就没那么容易了 这里写图片描述