윤석찬 윤석찬 - 2 months ago 5
PHP Question

Where's vulnerability in this php code?

I must delete this question because of administrator who manages war game site.
But I can't delete because of answers.. so I had no choice but to blind this question.

Answer

The solution is this:

http://123.111.158.161/codeshell/prob2/?......foo.adm1nkyj......=adm1nkyj

It works because PHP replaces dots and spaces with underscores in the keys of the request data arrays ($_GET, $_POST, $_REQUEST, $_COOKIE).

From PHP docs:

Note: Dots and spaces in variable names are converted to underscores. For example <input name="a.b" /> becomes $_REQUEST["a_b"].

This is probably a relic from times when register globals was still a thing.

Comments