This article brings you relevant knowledge about PHP, which mainly introduces the relevant content about native classes. Let’s take a look at it together. I hope it will be helpful to everyone.
This time HEctf is a native question with only three lines of code. Sure enough, the shorter the code, the more difficult it is in ctf.
First post a script that traverses php built-in classes
Copy after login
Result:
Sort it out:
Exception ErrorException Error ParseError TypeError ArgumentCountError ArithmeticError DivisionByZeroError ClosedGeneratorException DateTime DateTimeZone DatePeriod DirectoryIterator wakeup JsonException wakeup LogicException BadFunctionCallException InvalidArgumentException OutOfRangeException RuntimeException OverflowException RangeException UnderflowException GlobIterator SplFixedArray ReflectionException ReflectionFunctionAbstract ReflectionParameter ReflectionMethod ReflectionClass ReflectionClassConstant ReflectionZendExtension AssertionError DOMException PDOException SimpleXMLElement mysqli_sql_exception PharException PharData PharFileInfo
Approximately These are the classes, but the following classes are often used in ctf competitions
#__toString method will return an error or exception String form, which contains the parameters we input. If we construct a string of xss code and combine it with echo rendering, the reflected xss vulnerability will be triggered
demo:
Copy after login
poc
alert('hacker')"); $b = serialize($a); echo urlencode($b);
Output a string of strings
O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3 Bs%3A32%3A%22%3Cscript%3Ealert%28%27hacker%27%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A25%3A%22E%3A%5Cphp%5Cfunction%5Ctest2.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D复制代码
Successful pop-up window
ExceptionYes Base class for all user-level exceptions. (PHP 5, 7, 8)
alert('hacker')"); $b = serialize($a); echo urlencode($b); ?>
seems to have the same pop structure as error (exception is applicable to php5 and 7, error is only applicable to php7), just replace error with exception. Still pops up successfully
By constructing these two classes, you can bypass md5() and sha1 ()function. Both error and exception have an important method: _tostring, which is used to convert exception objects into strings.
Similarly, when the md5() and sha1() functions process objects, the __tostring method will be automatically called
"; echo $b."
";
It can be seen that the payload The following parameters do not affect the output results. It is through this that the hash function can be bypassed.
Copy after login
Simple Object Access Protocol meaning
The reason why it is said here is simple, Because it is based on two protocols that have been widely used: HTTP and XML, the industry calls this technology "it is the first technology that does not invent any new technology". It is called an object because the access Web services are called objects. Since the service is an object, the service must have related attributes and calling behaviors. These attributes and behaviors are described through WSDL. If you understand it in terms of "Simple Object Access Protocol", it is easier than "Simple Object Access Protocol"
PHP's built-in class SoapClient is a class specifically used to access web services and can provide a SOAP-based Protocol for PHP clients to access web services.
The constructor of this class is as follows:
public SoapClient :: SoapClient(mixed $wsdl [,array $options ])
DirectoryIterator
__toStringGet the file name in string form (PHP 5, 7, 8)
For example:
'); } echo $a;
Output the first sorted file in the specified directory A file name
Use the __toString method of this built-in class combined with the glob or file protocol to achieve directory traversal
'; }
Use the foreach function Traverse all files
'; }
One more slash, one forward in the directory.
FilesystemIterator Class
The FilesystemIterator class is identical to the DirectoryIterator class and provides a simple interface for viewing the contents of a file system directory. The constructor of this class will create an iterator of the specified directory.
The usage method of this class is basically the same as the DirectoryIterator class:
'; }
SplFileObject::__toString— 以字符串形式返回文件的路径
Copy after login
输出多行
Copy after login
推荐学习:《PHP视频教程》
The above is the detailed content of Summary sharing of PHP native classes. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
