在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
最近在做ctf的时候,碰见了好几次关于php伪协议的妙用,所以通过学习整理出相关知识 php伪协议,事实上是其支持的协议与封装协议
支持的种类有这12种 先整理一下关于php://的用法 php:// php://stdin, php://stdout 和 php://stderr php://stdin是只读的,php://stdout 和 php://stderr 是只写的。 举例: 1 <?php 2 while($line = fopen('php://stdin','r')) 3 {//open our file pointer to read from stdin 4 echo $line."\n"; 5 echo fgets($line);//读取 6 } 7 ?>
可以看到打开了一个文件指针进行读取 php://stdout 1 <?php 2 $fd = fopen('php://stdout', 'w'); 3 if ($fd) { 4 echo $fd."\n"; 5 fwrite($fd, "这是一个测试"); 6 fwrite($fd, "\n"); 7 fclose($fd); 8 } 9 ?>
可以看到打开了一个文件指针进行写入 php://stderr 1 <?php 2 $stderr = fopen( 'php://stderr', 'w' ); 3 echo $stderr."\n"; 4 fwrite($stderr, "lalala" ); 5 fclose($stderr); 6 ?>
可以看到打开了一个文件指针进行写入 php://input 举例: 相关源码: 1 <!-- 2 $user = $_GET["user"]; 3 $file = $_GET["file"]; 4 $pass = $_GET["pass"]; 5 6 if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){ 7 echo "hello admin!<br>"; 8 include($file); //class.php 9 }else{ 10 echo "you are not admin ! "; 11 }
php://output 举例: 1 <?php 2 $out=fopen("php://stdout", 'w'); 3 echo $out."\n"; 4 fwrite($out , "this is a test"); 5 fclose($out); 6 ?>
php://fd php://memory 和 php://temp php://temp 的内存限制可通过添加 /maxmemory:NN 来控制,NN 是以字节为单位、保留在内存的最大数据量,超过则使用临时文件。 php://filter php://filter 参数
封装协议摘要(针对 php://filter,参考被筛选的封装器。)
举例:依旧拿HBCTF举例好啦
明显将
这就涉及过滤器的灵活使用
过滤器过滤器有很多种,有字符串过滤器、转换过滤器、压缩过滤器、加密过滤器 字符串过滤器
举例1 <?php 2 $fp = fopen('php://output', 'w'); 3 stream_filter_append($fp, 'string.rot13'); 4 echo "rot13:"; 5 fwrite($fp, "This is a test.\n"); 6 fclose($fp); 7 8 $fp = fopen('php://output', 'w'); 9 stream_filter_append($fp, 'string.toupper'); 10 echo "Upper:"; 11 fwrite($fp, "This is a test.\n"); 12 fclose($fp); 13 14 $fp = fopen('php://output', 'w'); 15 stream_filter_append($fp, 'string.tolower'); 16 echo "Lower:"; 17 fwrite($fp, "This is a test.\n"); 18 fclose($fp); 19 20 $fp = fopen('php://output', 'w'); 21 echo "Del1:"; 22 stream_filter_append($fp, 'string.strip_tags', STREAM_FILTER_WRITE); 23 fwrite($fp, "<b>This is a test.</b>!!!!<h1>~~~~</h1>\n"); 24 fclose($fp); 25 26 $fp = fopen('php://output', 'w'); 27 echo "Del2:"; 28 stream_filter_append($fp, 'string.strip_tags', STREAM_FILTER_WRITE, "<b>"); 29 fwrite($fp, "<b>This is a test.</b>!!!!<h1>~~~~</h1>\n"); 30 fclose($fp); 31 32 $fp = fopen('php://output', 'w'); 33 stream_filter_append($fp, 'string.strip_tags', STREAM_FILTER_WRITE, array('b','h1')); 34 echo "Del3:"; 35 fwrite($fp, "<b>This is a test.</b>!!!!<h1>~~~~</h1>\n"); 36 fclose($fp); 37 ?>
转换过滤器
base64 编码解码
举例:1 <?php 2 $fp = fopen('php://output', 'w'); 3 stream_filter_append($fp, 'convert.base64-encode'); 4 echo "base64-encode:"; 5 fwrite($fp, "This is a test.\n"); 6 fclose($fp); 7 8 $param = array('line-length' => 8, 'line-break-chars' => "\n"); 9 $fp = fopen('php://output', 'w'); 10 stream_filter_append($fp, 'convert.base64-encode', STREAM_FILTER_WRITE, $param); 11 echo "\nbase64-encode-split:\n"; 12 fwrite($fp, "This is a test.\n"); 13 fclose($fp); 14 15 $fp = fopen('php://output', 'w'); 16 stream_filter_append($fp, 'convert.base64-decode'); 17 echo "\nbase64-decode:"; 18 fwrite($fp, "VGhpcyBpcyBhIHRlc3QuCg==\n"); 19 fclose($fp); 20 21 $fp = fopen('php://output', 'w'); 22 stream_filter_append($fp, 'convert.quoted-printable-encode'); 23 echo "quoted-printable-encode:"; 24 fwrite($fp, "This is a test.\n"); 25 fclose($fp); 26 27 $fp = fopen('php://output', 'w'); 28 stream_filter_append($fp, 'convert.quoted-printable-decode'); 29 echo "\nquoted-printable-decode:"; 30 fwrite($fp, "This is a test.=0A"); 31 fclose($fp); 32 ?>
压缩过滤器 zlib.deflate和 zlib.inflate
加密过滤器 mcrypt 过滤器参数
|
2022-08-15
2022-08-30
2022-08-17
2022-08-18
2022-07-18
请发表评论