%00截断绕过
过滤代码
<?php
if(isset($_GET['filename'])){
include $_GET['filename'] . ".php";
}else{
echo "包含失败";
}
?>上面这段代码的意思就是,我会将你传入的这个filename参数后面加上.php,比如传入参数webshell.php,经过这段代码的处理就会变成webshell.php.php,去寻找该文件的时候就找不到该文件,就会包含失败
演示
以下是webshell.php
<?php phpinfo();?>我们尝试包含该文件
发现包含失败,这时候我们使用%00截断
成功绕过
总结
%00的意思就是到这里结束了,所以当文件名为webshell.jpg%00时即便是后面拼接了.php编程webshell.jpg%00.php,也会在解析的时候解析成webshell.jpg,再结合包含漏洞会将webshell.jpg该文件以php的形式解析
str_replace替换函数绕过
str_repalc()函数的功能是替换
$file = $_GET['filename'];
$file = str_replace(array("http://","https://"),"",$file); // 如果有遇到 "http://或者https://"就替换成""
$file = str_replace(array("../","..\"),"",$file); // 如果有遇到 "../或者..\"就替换成""但是str_replace他只替换一次,也就是说如果我们要使用../去做目录穿越的话我们多加一个../即可绕过
原先我们要访问的目录是 ../../xxx.txt,这时候我们改为 ../../../xxx.txt,他依然可以访问成功。
../../../xxx.txt替换后 -> ../../xxx.txt
防御手段
限制死能够包含的文件
if(filename!=xxx && filename!=xxx ...){
echo "error";
exit;
}
5人评论了“文件包含的一些绕过”
matadorbet porn
порно
Your passion for your subject matter shines through in every post. It’s clear that you genuinely care about sharing knowledge and making a positive impact on your readers. Kudos to you!
b6 to the rescue and its cheap as dirt to boot priligy 30mg Cells were then treated as either a control 10 ng Ia ml or with varying concentrations of iota toxin Ia 10 ng ml Ib 20 ng ml; Ia 25 ng ml Ib 50 ng ml; Ia 50 ng ml Ib 100 ng ml; Ia 100 ng ml Ib 200 ng ml and cultured under normal growth conditions
Simply wish to say your article is as amazing The clearness in your post is just nice and i could assume youre an expert on this subject Well with your permission let me to grab your feed to keep updated with forthcoming post Thanks a million and please carry on the gratifying work