当前位置:网站首页>Summary of PHP pseudo protocol of cisp-pte
Summary of PHP pseudo protocol of cisp-pte
2022-07-05 16:42:00 【Colorful @ star】
PHP Pseudo protocol summary
0x00 php://input
// All tests are allow_url_fopen=On,allow_url_include=On!!!
php://input It's a read-only stream that can access the requested raw data . POST In the case of a request , Best use php://input Instead of $HTTP_RAW_POST_DATA, Because it doesn't depend on specific php.ini Instructions . and , In this case $HTTP_RAW_POST_DATA The default is not filled , Than activate always_populate_raw_post_data Potentially requires less memory . enctype=”multipart/form-data” When php://input It's invalid .
——php.net
Simply put, get post data .
Test code :
The file contains variable command execution :
Test code :
<?php$d = file_get_contents(‘php://input’);
//echo d ; @ e v a l ( d; @eval( d;@eval(d)
?>
<?php @include($_GET[“file”]); ?>
Write a sentence :
0x01 php://filter
php://filter It's a meta wrapper , Designed for when data flow is open Screening filtration application . This is for the all-in-one (all-in-one) The file function of is very useful , similar readfile()、 file() and file_get_contents(), There is no chance to apply other filters before the data stream content is read .
——php.net
Simply put, we often use it base64 code , Such as
php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini”
A variety of filters can be used ( character string / transformation / Compress / encryption )
It is often used to read files / Source code :
0x02 zip://,bzip2://,zlib://
zlib: Similar function of gzopen(), however Its data flow can also be fread() And other file system functions . since PHP 4.3.0 The latter is not recommended to be used , Because it will be with others “:” Character file names are confused ; Please use compress.zlib:// As a substitute .
compress.zlib://、 compress.bzip2:// and gzopen()、bzopen() They are equal. . And it can be used when fopencookie Used in the system .
ZIP Expand registered zip: wrapper . since PHP 7.2.0 and libzip 1.2.0+ rise , Encryption archiving begins to support passwords , Allow passwords to be used in data streams . Byte stream context (stream contexts) Use in ‘password’ Option set password .
optional
- zlib://file.gz
- bzip2://file.bz2
- zip://archive.zip#dir/file.txt
——php.net
Simply put, it is to directly access the files in the compressed package .
1. zip://
take phpinfo.txt Compressed into zip, In practice, the suffix can be changed to jpg Bypass upload restrictions .
Pay attention to the absolute path +url code #
2. zlib://
Change suffix to jpg Yes , Relative path is also acceptable .
3. bzip2://
In the same way in zlib://
0x03 data://
data://text/plain;base64,
No addition // Yes .
Can also be used to read php File source code :
data:text/plain,<?php system(‘cat /var/www/phprotocol1.php’)?>
Or command execution :
data:text/plain,<?php system(‘whoami’)?>
0x04 Conclusion
ctf We often use php Fake protocol , It may have miraculous effects in actual combat .
0x05 Reference material
https://www.waitalone.cn/php-file-include.html
www.freebuf.com/column/148886.html
http://php.net/manual/zh/wrappers.php
</article>
边栏推荐
猜你喜欢
ES6 drill down - ES6 generator function
Seaborn绘制11个柱状图
Research and development efficiency measurement index composition and efficiency measurement methodology
Basic introduction to the control of the row component displaying its children in the horizontal array (tutorial includes source code)
[deep learning] how does deep learning affect operations research?
【深度学习】深度学习如何影响运筹学?
Spring Festival Limited "forget trouble in the year of the ox" gift bag waiting for you to pick it up~
Win11提示无法安全下载软件怎么办?Win11无法安全下载软件
英特尔第13代Raptor Lake处理器信息曝光:更多核心 更大缓存
Starkware: to build ZK "universe"
随机推荐
Some cognitive thinking
一键安装脚本实现快速部署GrayLog Server 4.2.10单机版
英特尔第13代Raptor Lake处理器信息曝光:更多核心 更大缓存
服务器的数据库连不上了2003,10060“Unknown error“【服务已起、防火墙已关、端口已开、netlent 端口不通】
国泰君安网上开户安全吗
自己要有自己的坚持
阿掌的怀念
用键盘输入一条命令
Sentinel-流量防卫兵
怎样在电脑上设置路由器的WiFi密码
【刷題篇】鹅廠文化衫問題
Detailed explanation of use scenarios and functions of polar coordinate sector diagram
[deep learning] how does deep learning affect operations research?
Mongodb getting started Tutorial Part 04 mongodb client
为季前卡牌游戏 MotoGP Ignition Champions 做好准备!
"21 days proficient in typescript-3" - install and build a typescript development environment md
普洛斯数据中心发布DC Brain系统,科技赋能智慧化运营管理
文件操作--I/O
【刷题篇】有效的数独
漫画:什么是服务熔断?