-
-
// Insecure Include - // The following Include statement will
- // include and execute everything POSTed
- // to the server
include "php://input"; - ?>
-
例2: Use data: to Include arbitrary code
-
-
- // Insecure Include
- // The following Include statement will
- // include and execute the base64 encoded
- // payload. Here this is just phpinfo()
include "data:;base64,PD9waHAgcGhwaW5mbygpOz8+"; - ?>
-
-
把这些放到运算里将会发现既不是url_allow_fopen也不是url_allor_include 被保障。
只是因为过滤器很少对矢量进行过滤。如果要完全解决这个URL include vulnerabilities的方法则需要应用Suhosin扩展。
| 
