[WeChall] PHP 0817 (PHP, Exploit) 解决和原理
题目
I have written another include system for my dynamic webpages, but it seems to be vulnerable to LFI.
Here is the code:
<?php
if (isset($_GET['which']))
{
$which = $_GET['which'];
switch ($which)
{
case 0:
case 1:
case 2:
require_once $which.'.php';
break;
default:
echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);
break;
}
}
?>
Your mission is to include solution.php.
分析
任务目标是包含solution.php文件。
根据官网PHP: switch - Manual的介绍,可以看到:
Note:
注意 switch/case 作的是松散比较。
当一个非数字开头的字符串与数字0进行==比较时,结果总是true.因此可以直接提交solution作为which变量的值,"solution"相当于0,必然会执行require_once命令。
更多知识可以参考字符串与数字0比较要注意
答案
因此,答案也就出来了。浏览器访问下面链接即可。
http://www.wechall.net/challenge/php0817/index.php?which=solution