phpmyadmin
in index.php
( 1 ) is a non-empty string; ( 2 ) can not start with index; ( . 3 ) is not in the black list $ target_blacklist array; and ( 4 ) be satisfied checkPageValidity () function
checkpagevalidity function
View whitelist
The first returns true place
page parameters required in the whitelist.
The second place returns true
mb_height strops function: stroup (s1, s2)
Find a position s2 in s1 of the first occurrence of
mb_substr(s1,s2,s3)
Intercept is taken back string s1 s2 length from the start position of a substring of s3.
Here you can? /../../../../../../ windows / system.ini way to bypass the whitelist by db_sql.php, the content after the question mark will be passed as a parameter parsing
The third place returns true:
The parameters passed through a url encoded and then after a urldecode, therefore dual encoding can bypass after -?>% 253f