Recently, the various magical magic of the PHP pseudo-protocol seems to have suddenly been mentioned, the pseudo-protocol supported in PHP has the following so many
123456789101112 |
file:// -Access to local file system http://-access http (s) URL ftp://-access FTP (s) URLs php: //-access to individual input/output streams (I/O streams) zlib://-compressed stream data://-data (RFC 2397) glob://-find matching file path mode phar://-php archive ssh2://-secure Shell 2 rar://-rar ogg://-audio stream expect://-handles interactive flow |
Focus on php://today.
First, put the official documents on.
http://php.net/manual/zh/wrappers.php.php
There are two more important configurations in php.ini, Allow_url_fopen and Allow_url_include affect the support for pseudo-protocols such as fopen and so on, and Allow_url_include relies on allow _url_fopen, so allow_url_fopen do not open words, allow_url_include is also unable to use.
The php://is used to access each input and output stream, exceptphp://stdin, php://stdout 和 php://stderr
Php://input
Php://input represents the raw data that can be accessed by the request, in the case of a POST request, Php://input can get the data to the post.
A very special point, enctype= "Multipart/form-data" when the Php://input is invalid.
Php://output
Php://output is a write-only data stream that allows you to write to the output buffer in the same way as print and echo.
Php://filter
The key to this article is to discuss Php://filter, which is, in fact, a pseudo-protocol that we often use, with the opportunity to take advantage of any file read or even Getshell.
php://filter
is a meta-wrapper designed for filtering filtering applications when data flow is turned on. This is useful for all-in-one (all-in-one) file functions, such as ReadFile (), file (), and file_get_contents (), without the opportunity to apply other filters before the data stream content is read.
In fact, the use of the include function often results in arbitrary file-read vulnerabilities, while file_get_contents () and file_put_contents () are often the more serious vulnerabilities of Getshell.
The Php://filter target uses the following parameters as part of its path. The composite filter chain can be specified on a path. Use these parameters in detail to refer to specific examples.
It's written in the document.
12345 |
Name Description resource=< The data stream to be filtered > This parameter is required. It specifies the data stream that you want to filter for filtering. filter list for read=< read chain > This parameter is optional. You can set one or more filter names separated by a pipe character (|). write=< The filter list for the Write chain > This parameter is optional. You can set one or more filter names separated by a pipe character (|). <; filter List of two chains > any filter list that is not prefixed with read= or write= will be applied to read or write chains as appropriate. |
Let's give an example, this is the payload that we use to read arbitrary files at ordinary times.
1 |
php://filter/read=convert.base64-encode/resource=upload.php |
The filter read here is Convert.base64-encode, just like the literal meaning, base64-encode the input stream.
Resource=upload.php, representing the contents of the Read upload.php
Here's a closer look at the problem with the filter
Filter filters
First paste the document, not because of their own translation small problem of the pot (?ω?) Dentetsu
http://php.net/manual/zh/filters.php
Conversion filter
http://php.net/manual/zh/filters.convert.php
The convert.* filter is added after php5.0.0.
Base64
Convert.base64-encode and Convert.base64-decode Use these two filters as the equivalent of processing all stream data with the Base64_encode () and Base64_decode () functions respectively. The Convert.base64-encode supports parameters given in an associative array. If the line-length,base64 output is given, it will be truncated to a block of length using line-length characters. If Line-break-chars is given, each block will be separated by the characters given. The effect of these parameters is the same as with Base64_encode () plus chunk_split ().
Of course, the filters here not only apply to Php://filter, so the example given in the documentation is this
12345678910111213141516171819202122 |
<?PHP$FP =fopen (' php://output ', ' W '); Stream_filter_append ($FP,' Convert.base64-encode ');fwrite ($fp, "This is a test.\n"); fclose ($fp);/ * outputs:vghpcybpcybhihrlc3qucg== * /$param = Array (' line-length ' = 8, ' line-break-chars ' = ' \ r \ n '; $FP =fopen (' php://output ', ' W '); Stream_filter_append ($FP,' Convert.base64-encode ', Stream_filter_write, $param);fwrite ($fp, "This is a test.\n"); fclose ($fp);/ * OUTPUTS:VGHPCYBP: cybhihrl:c3qucg== */$fp =fopen (' php://output ', ' W '); Stream_filter_append ($FP,' Convert.base64-decode ');fwrite ($fp, "vghpcybpcybhihrlc3qucg=="); fclose ($fp);/ * Outputs:this is a test. * *?> |
Quoted-printable
Convert.quoted-printable-encode and Convert.quoted-printable-decode Use the decode version of this filter to equate with Quoted_printable_decode () The function handles all stream data. There are no functions corresponding to Convert.quoted-printable-encode. The Convert.quoted-printable-encode supports parameters given in an associative array. In addition to supporting the same additional parameters as Convert.base64-encode, Convert.quoted-printable-encode also supports binary and Force-encode-first boolean parameters. The Convert.base64-decode only supports the Line-break-chars parameter as a type hint that is stripped from the coded payload.
The explanation for Quoted_printable_decode () on php.net is to convert the quoted-printable string to a 8-bit string, forgive me for not understanding
String filter
String.* is a string module that is used to process individual strings, rather like python.
string.rot13
ROT13, very well understood.
123456 |
<?php$fp = fopen (' php://output ', ' W '); Stream_filter_append ($fp, ' string.rot13 '); Fwrite ($fp, "This is a test.\n"); / * OUTPUTS:GUVF VF n GRFG. * / ?> |
ToUpper
To capitalize, it's also good to understand
123456 |
<?php$fp = fopen (' php://output ', ' W '); Stream_filter_append ($fp, ' String.ToUpper '); Fwrite ($fp, "This is a test.\n"); / * Outputs:this is A TEST. * * ?> |
ToLower
This time it's lowercase.
123456 |
<?php$fp = fopen (' php://output ', ' W '); Stream_filter_append ($fp, ' String.ToLower '); Fwrite ($fp, "This is a test.\n"); / * Outputs:this is a test. * * ?> |
String.strip_tags
String.strip_tags (since PHP 5.0.0) Using this filter is equivalent to processing all stream data with the Strip_tags () function. You can receive parameters in two formats: one that is similar to the second parameter of the Strip_tags () function, a string containing a list of tags, and an array that contains a tag name.
Strip_tags () Returns the result of the given string str after removing null characters, HTML, and PHP tags.
12345678910111213 |
<?PHP$FP =fopen (' php://output ', ' W '); Stream_filter_append ($FP,' String.strip_tags ', Stream_filter_write, "<b><i><u>"); fwrite ($fp, "<b>bolded text</b> enlarged to a fclose ($fp);/* Outputs: <b>bolded text</b> enlarged to a level 1 heading */$FP =fopen (' php://output ', ' W '); Stream_filter_append ($FP,' String.strip_tags ', Stream_filter_write, array (' B ',' i ',' U ')); fwrite ($fp, "<b>bolded text</b> enlarged to a fclose ($fp);/* Outputs: <b>bolded text</b> enlarged to a level 1 heading */?> |
Compression filters
The zlib.* compression filter is available from PHP version 5.1.0, under the premise of activating zlib. You can also install the from? Pecl's? The Zlib_filter package is used as a backdoor in version 5.0.x. This filter is not available in PHP 4.
Zlib.deflate and Zlib.inflate are the main two usages
123456789101112131415161718192021222324252627 |
<?php$params =Array (' level ' = = 6, ' window ' = + , ' memory ' = 9); $original _text ="This is a test.\nthis are only a test.\nthis are not a important string.\n";echo "The original text is". strlen ($original _text). "Characters long.\n"; $fp = fopen (' test.deflated ', ' W '); Stream_filter_append ($FP,' Zlib.deflate ', Stream_filter_write, $params);Fwrite ($fp, $original _text); fclose ($FP);echo "The compressed file is". FileSize (' test.deflated '). "bytes long.\n"; echo "The original text was:\n"; /* Use ReadFile and zlib.inflate to decompress on the fly * /ReadFile' php://filter/zlib.inflate/resource=test.deflated ');/* Generates OUTPUT:The original text is a characters long. The compressed file is a bytes long. The original text was:this is a test. This was only a test. This isn't an important string. */?> |
Encryption Filter
MCrypt. and Mdecrypt. Symmetric encryption and decryption are provided using Libmcrypt.
The format is Mcrypt.ciphername, where Ciphername is the name of the password and will be passed to Mcrypt_module_open (). The following five filter parameters are available:
Whether the parameter must have a default value to take a value example
Mode selectable CBC CBC, CFB, ECB, NOFB, OFB, stream
Algorithms_dir Optional ini_get (' Mcrypt.algorithms_dir ') a lgorithms module directory
Modes_dir Optional ini_get (' Mcrypt.modes_dir ') Modes Module directory
IV must be N/a typically 8, 16, or 32 bytes of binary data. Depends on the password
The key must be N/A, typically 8, 16, or 32 bytes of binary data. Depends on the password
Detail your own research documentation
http://php.net/manual/zh/filters.encryption.php
PHP Pseudo-Protocol