Open the given experimental environment and find the given code. After analyzing the code, it can be seen that the file contains vulnerabilities:
It contains two parameters:
- The contents of the Hello parameter are output to the page
- The contents of the page parameter will be included in the file, but the
Strstr (string, search [, before_search]): strstr() function searches whether a string (search) exists in another string (string). If so, it returns the string and the rest. Otherwise, it returns false. Case sensitive. The stristr() function is not case sensitive.
string: required. Specifies the string to be searched.
search: required. Specifies the string to search. If the parameter is a number, search for characters that match the ASCII value corresponding to the number.
before_search: optional. A Boolean value with a default value of “false”. If set to “true”, it returns the part of the string before the first occurrence of the search parameter.
str_ Replace (find, replace, string, count): this function is used to replace a string
find: the string to query.
string: original string
- Case bypass method: PHP://
Here we use pseudo protocol
- php://input Is a read-only stream that can access the requested raw data. You can read the data submitted by post
We write the PHP code for command execution (backquotes) in the content submitted by post:
Three files were obtained and it was found that they could not be opened through the browser:
Use the cat command to view:
Check the first file and find the flag!
This question examines the PHP file contains vulnerabilities and OS command injection
The above is the details of the solution example of the attack and defense world of Web PHP include. For more information about the attack and defense world of Web PHP include, please pay attention to other relevant articles of developeppaer!