A probe into PHP pseudo-protocol

0x01 sequence

A probe into PHP pseudo-protocol

There are so many pseudo protocols supported in PHP

file://-access to the local file system http://-Access HTTP (s) URL ftp://-access FTP (s) urlsphp://-access to each input/output stream (I/O streams) zlib://-compressed stream data://-data ( RFC 2397) glob://-Find matching file path Mode phar://-php archive ssh2://-secure Shell 2rar://-rarogg://-audio stream expect://-handle interactive streams

Focus on php://today.

First, put the official documents on.
http://php.net/manual/zh/wrappers.php.php

There are two more important configurations in php.ini, Allow_url_fopen and Allow_url_include affect the support for pseudo-protocols such as fopen and so on, and Allow_url_include relies on allow _url_fopen, so allow_url_fopen do not open words, allow_url_include is also unable to use.

The php://is used to access each input and output stream, exceptphp://stdin, php://stdout 和 php://stderr

0x02 Php://input

Php://input represents the raw data that can be accessed by the request, in the case of a POST request, Php://input can get the data to the post.

A very special point, enctype= "Multipart/form-data" when the Php://input is invalid.

0x03 Php://output

Php://output is a write-only data stream that allows you to write to the output buffer in the same way as print and echo.

0x04 Php://filter

The key to this article is to discuss Php://filter, which is, in fact, a pseudo-protocol that we often use, with the opportunity to take advantage of any file read or even Getshell.

php://filteris a meta-wrapper designed for filtering filtering applications when data flow is turned on. This is useful for all-in-one (all-in-one) file functions, such as ReadFile (), file (), and file_get_contents (), without the opportunity to apply other filters before the data stream content is read.

In fact, the use of the include function often results in arbitrary file-read vulnerabilities, while file_get_contents () and file_put_contents () are often the more serious vulnerabilities of Getshell.

The Php://filter target uses the following parameters as part of its path. The composite filter chain can be specified on a path. Use these parameters in detail to refer to specific examples.

It's written in the document.

name    description resource=< data stream to be filtered >        This parameter is required. It specifies the data stream that you want to filter for filtering.  filter list for read= < read chain >            This parameter is optional. You can set one or more filter names separated by a pipe character (|). write=< Write chain filter list >        This parameter is optional. You can set one or more filter names separated by a pipe character (|).  <Two chain filter list >           any filter list that is not prefixed with read= or write= will be applied to read or write chains as appropriate.

Let's give an example, this is the payload that we use to read arbitrary files at ordinary times.

php://filter/read=convert.base64-encode/resource=upload.php

The filter read here is Convert.base64-encode, just like the literal meaning, base64-encode the input stream.
Resource=upload.php, representing the contents of the Read upload.php

Here's a closer look at the problem with the filter

4.1 Filter

First paste the document, not because of their own translation small problem of the pot (?ω?) Dentetsu
http://php.net/manual/zh/filters.php

4.1.1 Conversion Filter

http://php.net/manual/zh/filters.convert.php

The convert.* filter is added after php5.0.0.

Base64

Convert.base64-encode and Convert.base64-decode Use these two filters as the equivalent of processing all stream data with the Base64_encode () and Base64_decode () functions respectively. The Convert.base64-encode supports parameters given in an associative array. If the line-length,base64 output is given, it will be truncated to a block of length using line-length characters. If Line-break-chars is given, each block will be separated by the characters given. The effect of these parameters is the same as with Base64_encode () plus chunk_split ().

Of course, the filters here not only apply to Php://filter, so the example given in the documentation is this

<?PHP$fp=fopen(' Php://output ', ' W ');Stream_filter_append($fp, ' Convert.base64-encode ');fwrite($fp, "This is a test.\n");fclose($fp);/*outputs:vghpcybpcybhihrlc3qucg==*/$param=Array(' line-length ' = 8, ' line-break-chars ' = ' \ r \ n '));$fp=fopen(' Php://output ', ' W ');Stream_filter_append($fp, ' Convert.base64-encode ', Stream_filter_write,$param);fwrite($fp, "This is a test.\n");fclose($fp);/*outputs:vghpcybp:cybhihrl:c3qucg==*/$fp=fopen(' Php://output ', ' W ');Stream_filter_append($fp, ' Convert.base64-decode ');fwrite($fp, "vghpcybpcybhihrlc3qucg==");fclose($fp);/*Outputs:this is a test. */?>

Quoted-printable

Convert.quoted-printable-encode and Convert.quoted-printable-decode Use the decode version of this filter to equate with Quoted_printable_decode () The function handles all stream data. There are no functions corresponding to Convert.quoted-printable-encode. The Convert.quoted-printable-encode supports parameters given in an associative array. In addition to supporting the same additional parameters as Convert.base64-encode, Convert.quoted-printable-encode also supports binary and Force-encode-first boolean parameters. The Convert.base64-decode only supports the Line-break-chars parameter as a type hint that is stripped from the coded payload.

The explanation for Quoted_printable_decode () on php.net is to convert the quoted-printable string to a 8-bit string, forgive me for not understanding

4.1.2 String Filter

String.* is a string module that is used to process individual strings, rather like python.

string.rot13

ROT13, very well understood.

<? PHP $fp fopen (' Php://output ', ' W '); Stream_filter_append ($fp, ' string.rot13 '); fwrite ($fp, "This is a test.\n"); /* Outputs:  GUVF VF n grfg.    */?>

ToUpper

To capitalize, it's also good to understand

<? PHP $fp fopen (' Php://output ', ' W '); Stream_filter_append ($fp, ' String.ToUpper '); fwrite ($fp, "This is a test.\n"); /* Outputs:  This is A TEST.    */?>

ToLower

This time it's lowercase.

<? PHP $fp fopen (' Php://output ', ' W '); Stream_filter_append ($fp, ' String.ToLower '); fwrite ($fp, "This is a test.\n"); /* Outputs: This is  a test.    */?>

String.strip_tags

String.strip_tags (since PHP 5.0.0) Using this filter is equivalent to processing all stream data with the Strip_tags () function. You can receive parameters in two formats: one that is similar to the second parameter of the Strip_tags () function, a string containing a list of tags, and an array that contains a tag name.

Strip_tags () Returns the result of the given string str after removing null characters, HTML, and PHP tags.

<?PHP$fp=fopen(' Php://output ', ' W ');Stream_filter_append($fp, ' String.strip_tags ', Stream_filter_write, ' <b><i><u> ');fwrite($fp, "<b>bolded text</b> enlarged to a );fclose($fp);/*Outputs: <b>bolded text</b> enlarged to a level 1 heading*/$fp=fopen(' Php://output ', ' W ');Stream_filter_append($fp, ' String.strip_tags ', Stream_filter_write,Array(' B ', ' I ', ' u ')));fwrite($fp, "<b>bolded text</b> enlarged to a );fclose($fp);/*Outputs: <b>bolded text</b> enlarged to a level 1 heading*/?>

4.1.3 Compression Filter

The zlib.* compression filter is available from PHP version 5.1.0, under the premise of activating zlib. You can also install the from? Pecl's? The Zlib_filter package is used as a backdoor in version 5.0.x. This filter is not available in PHP 4.

Zlib.deflate and Zlib.inflate are the main two usages

<?PHP$params=Array(' Level ' = 6, ' window ' = +-' Memory ' = 9);$original _text= "This is a test.\nthis are only a test.\nthis are not a important string.\n";Echo"The original text is".strlen($original _text) . "Characters long.\n";$fp=fopen(' test.deflated ', ' W ');Stream_filter_append($fp, ' Zlib.deflate ', Stream_filter_write,$params);fwrite($fp,$original _text);fclose($fp);Echo"The compressed file is".filesize(' test.deflated '). "Bytes long.\n";Echo"The original text was:\n";/*Use ReadFile and zlib.inflate to decompress on the fly*/ReadFile(' php://filter/zlib.inflate/resource=test.deflated ');/*generates output:the original text is a characters long. The compressed file is a bytes long. The original text was:this is a test. This was only a test. This isn't an important string. */?>

4.1.4 Encryption Filter

MCrypt. and Mdecrypt. Symmetric encryption and decryption are provided using Libmcrypt.

The format is Mcrypt.ciphername, where Ciphername is the name of the password and will be passed to Mcrypt_module_open (). The following five filter parameters are available:

Whether the parameter must have a default value to take a value example
Mode selectable CBC CBC, CFB, ECB, NOFB, OFB, stream
Algorithms_dir Optional ini_get (' Mcrypt.algorithms_dir ') a lgorithms module directory
Modes_dir Optional ini_get (' Mcrypt.modes_dir ') Modes Module directory
IV must be N/a typically 8, 16, or 32 bytes of binary data. Depends on the password
The key must be N/A, typically 8, 16, or 32 bytes of binary data. Depends on the password

A detailed research document.
http://php.net/manual/zh/filters.encryption.php

From:lorexxar https://lorexxar.cn/2016/09/14/php-wei/

A probe into PHP pseudo-protocol