我编写了一个带有文本字段的html脚本,我用post方法从用户那里收到一段php源代码并将其保存到文本文件中,之后我想搜索该文本以找到这些关键字:
“GET”“include”“include_once”“require”“require_once”(不带“”)
我想为本地文件包含漏洞(LFI)编写一个简单的扫描程序,您可以给代码和此程序测试它。
这是我的html脚本:
答案 0 :(得分:0)
除了您的正则表达式错误之外(您正在逃避$并且您可以轻松地使用/GET/作为/^.*GET.*$/m从我能理解的您的意图)和您关闭文件,然后继续使用它后,上帝知道在开始时它是什么,你的代码似乎工作正常。我清理了一些垃圾并运行它并且工作正常。
<?php
$contents = "GETincludeinclude_oncerequirerequire_once";
$pattern = "/^.*GET.*$/m";
if(preg_match_all($pattern, $contents, $matches)){
echo "You used GET method !\n";
}
else{
echo "It might not to be vulnerable !\n";
}
$pattern = "/^.*include.*$/m";
if(preg_match_all($pattern, $contents, $matches)){
echo "You used include function !\n";
}
else{
echo "It might not to be vulnerable !\n";
}
$pattern = "/^.*include_once.*$/m";
if(preg_match_all($pattern, $contents, $matches)){
echo "You used include_once function !\n";
}
else{
echo "It might not to be vulnerable !\n";
}
$pattern = "/^.*require.*$/m";
if(preg_match_all($pattern, $contents, $matches)){
echo "You used require function !\n";
}
else{
echo "It might not to be vulnerable !\n";
}
$pattern = "/^.*require_once.*$/m";
if(preg_match_all($pattern, $contents, $matches)){
echo "You used require_once function !\n";
}
else{
echo "It might not to be vulnerable !\n";
}
?>
以上代码输出:
You used GET method !
You used include function !
You used include_once function !
You used require function !
You used require_once function !