low
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<div class="vulnerable_code_area">
<em><a href="?page=file1.php">file1.php</a></em>
<em><a href="?page=file2.php">file2.php</a></em>
<em><a href="?page=file3.php">file3.php</a></em>
</div>
</body>
</html>
<?php
$file = $_GET['page'];
if(isset($file)){
include($file);
}
?>
medium
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<div class="vulnerable_code_area">
<em><a href="?page=file1.php">file1.php</a></em>
<em><a href="?page=file2.php">file2.php</a></em>
<em><a href="?page=file3.php">file3.php</a></em>
</div>
</body>
</html>
<?php
$file = $_GET['page'];
$file = str_replace(array("https://","http://"), "", $file);
$file = str_replace(array("../","./"), "", $file);
echo $file;
if(isset($file)){
include($file);
}
?>
high
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<div class="vulnerable_code_area">
<em><a href="?page=file1.php">file1.php</a></em>
<em><a href="?page=file2.php">file2.php</a></em>
<em><a href="?page=file3.php">file3.php</a></em>
</div>
</body>
</html>
<?php
$file = $_GET['page'];
if(!(fnmatch("file*", $file)) && $file !="include.php"){
echo "ERROR file not found!";
}else{
include($file);
}
?>
PHP知识点
fnmatch() 函数根据指定的模式来匹配文件名或字符串。