云演CTF: 010.php4fun
题目给出源码备份"index.bak":
<?php
function filter($v){
echo $v;
$w = array('<','>','\.\.','^/+.*','file:///','php://','data://','zip://','ftp://','phar://','zlib://','glob://','expect://','http://','https://');
$w = implode('|',$w);
if(preg_match('#' . $w . '#i',$v) !== 0){
die("<br>not that easy.");
exit();
}
return $v;
}
function get_posts(){
$dir=scandir(".");
d
i
r
=
a
r
r
a
y
f
i
l
t
e
r
(
s
c
a
n
d
i
r
(
′
.
′
)
,
f
u
n
c
t
i
o
n
(
dir = array_filter(scandir('.'), function(
dir=arrayfilter(scandir(′.′),function(item) {
return !is_dir(’./’ . $item);
});
p
o
s
t
s
=
a
r
r
a
y
(
)
;
f
o
r
e
a
c
h
(
posts=array(); foreach(
posts=array();foreach(dir as KaTeX parse error: Expected '}', got 'EOF' at end of input: v){ if(v!=="." && KaTeX parse error: Expected 'EOF', got '&' at position 10: v!==".." &̲amp;& (strp…v,’.php’)===false)){
p
o
s
t
s
[
]
=
a
r
r
a
y
(
posts[]=array(
posts[]=array(v,substr(file_get_contents("$v"),0,10));
}
}
return $posts;
}
function get_post(KaTeX parse error: Expected '}', got 'EOF' at end of input: … return array(name,@file_get_contents(filter($name)));
}
?>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html>
<head>
<title>php4fun</title>
</head>
<body>
<div class=“content”>
<div class=“toph”></div>
<div class=“center”>
<h1>have fun with php</h1>
<?php
if(!@$_GET[‘p’]){
foreach(get_posts() as KaTeX parse error: Expected '}', got '&' at position 34: … ' &̲lt;h2><a …v[0].’">’.KaTeX parse error: Expected 'EOF', got '&' at position 7: v[0].'&̲lt;/a></h…v[1].’
<p class=“date”> <a href="?p=’.KaTeX parse error: Expected 'EOF', got '&' at position 8: v[0].'"&̲gt;Read more<…v=get_post(@KaTeX parse error: Expected '}', got '&' at position 41: … ' &̲lt;h2>'.v[0].’</h2>
‘.$v[1].’
<p class=“date”><a href="./">Back</a> </p>
<br />
';
}
?>
</div>
<div class=“footer”></div>
</div>
<!-- see index.bak -->
</body>
</html>