CSAW CTF 2016 mfw Writeup
0x01 需要知道的##
- 本地文件包含
- git源码泄露
0x02 本地文件包含
来自维基百科的解释:
In PHP the main cause is due to the use of unvalidated user-input with a filesystem function that includes a file for execution.
** most notable are the include and require statements.**
Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has a directive which, if enabled,
** allows filesystem functions to use a URL to retrieve data from remote locations**.[1]
The directive is allow_url_fopen in PHP versions <= 4.3.4 and allow_url_include since PHP 5.2.0. In PHP 5.x this directive is disabled by default, in prior versions it was enabled by default.[2] To exploit the vulnerabil