table of Contents
Recurring topic links: https://buuoj.cn/challenges
Reference Links: XCTF Final 2019 writeup By ROIS
windows under a PHP file
Windows FindFirstFile take advantage of
using FindFirstFile
this API when it will "
be construed as .
. Meaning: shell"php
=== shell.php
.
In the process of debugging php interpreter, we have this "magic" loophole comes down to a Winapi function FindFirstFile () the results produced ( http://msdn.microsoft.com/en-us/library/aa364418(v= vs.85) the .aspx ). more fun is, when the process of tracking function call stack, we found the characters
>
to be replaced?
, a character<
is replaced*
, and the symbol "(double quotation marks) are replaced with a.
character, which in 2007 msdn disclosure document mentioned: http://msdn.microsoft.com/en-us/library/community/history/aa364418%28v=vs.85%29.aspx?id=3