Sina SAE network sandbox breakthrough

Sae supports a large number of streams, but only one http protocol is actually encapsulated. The purpose of encapsulation is to control user requests, for example, you can restrict the target address of access and control the number of requests in a more precise manner, while there is no restriction on the native ftp protocol, for example, in this case, we can use this to create a simple Intranet port scanner:
 
 
Echo (file_get_contents ('ftp: // www.2cto.com: 22/111 '));
Due to the fact that sae tends to handle errors too well for developers, we can see whether the network is reachable, the port is not open, or the Protocol does not match, in this way, we can even detect the degree of isolation between the sae and the internal network.
After all, the ftp protocol is not very friendly. For the encapsulated http protocol, we find that stream_wrapper_unregister and stream_wrapper_restore are not disabled. Therefore, through these two functions, we can restore native http requests, initiate an http request to all the places we want to launch:
 
 
If (in_array ("http", stream_get_wrappers ())){
 
Stream_wrapper_unregister ("http ");
 
}
 
 
 
Stream_wrapper_restore ("http "));
Solution: currently, SAE has disabled related functions and fixed related code.
 
 
Excerpt from @ wooyun