Shulou(Shulou.com)06/03 Report--

This article introduces you the example analysis of PHP pseudo-protocol, the content is very detailed, interested friends can refer to, hope to be helpful to you.

File:// protocol

Conditions:

Allow_url_fopen:off/on

Allow_url_include: off/on

Function:

Used to access the local file system, which is usually used to read local files in CTF and is not affected by allow_url_fopen and allow_url_include.

If the include () / require () / include_once () / require_once () parameter is controllable, if it is imported as a non-.php file, it will still be parsed according to the php syntax, which is determined by the include () function.

Description:

The file:// file system is the default encapsulation protocol used by PHP and represents the local file system. The path provided when a relative path (one that does not start with /,\, or the Windows letter) is specified will be based on the current working directory. In many cases, it is the directory where the script is located, unless it is modified. When using CLI, the directory defaults to the directory in which the script is called. In some functions, such as fopen () and file_get_contents (), include_path optionally searches as well as relative paths.

Usage:

/ path/to/file.extrelative/path/to/file.extfileInCwd.extC:/path/to/winfile.extC:\ path\ to\ winfile.ext\\ smbserver\ share\ path\ to\ winfile.ext file:///path/to/file.ext

Example:

Absolute path and file name of the file://[ file]

Http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt

[relative path and file name of the file]

Http://127.0.0.1/include.php?file=./phpinfo.txt

[http:// network path and file name]

Http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt

Reference: http://php.net/manual/zh/wrappers.file.php

Php:// protocol

Conditions:

Allow_url_fopen:off/on

Allow_url_include: only php://input php://stdin php://memory php://temp needs on

Function:

Php:// accesses individual input / output streams (I streams), php://filter and php://input,php://filter are often used in CTF to read source code, and php://input is used to execute php code.

Description:

PHP provides some miscellaneous input / output (IO) streams that allow access to PHP's input / output streams, standard input / output, and error descriptors

Temporary file streams in memory, disk backups, and other filters that can manipulate read and write file resources.

The function of the protocol is that php://input can access the read-only stream of the requested raw data, and when accessing the data part of the POST in the POST request, php://input is invalid when enctype= "multipart/form-data". Php://output write-only data stream that allows writing to the output buffer in the same way as print and echo. Php://fd (> = 5.3.6) allows direct access to the specified file descriptor. For example, php://fd/3 references the file descriptor 3. Php://memory php://temp (> = 5.1.0) is a data stream similar to a file wrapper that allows temporary data to be read and written. The only difference between the two is that php://memory always stores data in memory, while php://temp stores it in a temporary file after the amount of memory reaches a predefined limit (the default is 2MB). The location of the temporary file is determined in the same way as sys_get_temp_dir (). Php://filter (> = 5.0.0) is a meta wrapper designed for filtering applications when data streams are opened. Useful for all-in-one file functions, such as readfile (), file (), and file_get_contents (), there is no opportunity to apply other filters before the contents of the data stream are read.

Detailed explanation of php://filter parameters

The parameters of the protocol are passed on the protocol path, and multiple parameters can be passed on one path. Specific references are as follows:

Php://filter parameter description

Resource= required. It specifies the data streams that you want to filter.

Read= is optional. You can set one or more filter names, separated by a pipe character (*). Write= is optional. You can set one or more filter names, separated by pipe characters (\). Any filter list that is not prefixed with read= or write= is applied to the read or write chain as appropriate.

List of available filters (4 categories)

The main filter types are listed here. For more information, please refer to https://www.php.net/manual/zh/filters.php

String filter function string.rot13 equals str_rot13 (), rot13 transform string.toupper equals strtoupper (), uppercase string.tolower equals strtolower (), lowercase string.strip_tags equals strip_tags (), convert.base64-encode & convert.base64-decode equals base64_encode () and base64_decode () without html and PHP language tag conversion filter. Base64 Encoding and Decoding convert.quoted-printable-encode & convert.quoted-printable-decodequoted-printable string and 8-bit string Encoding Decoding Compression filter functions zlib.deflate & zlib.inflate 's method of creating gzip-compatible files in the local file system, but does not generate header and trailing information for command-line tools such as gzip. Just compress and decompress the payload portion of the data stream. Bzip2.compress & bzip2.decompress is the same as above, the method of creating bz2-compatible files in the local file system. Encryption filter functions mcrypt.*libmcrypt symmetric encryption algorithm mdecrypt.*libmcrypt symmetric decryption algorithm

Example:

Php://filter/read=convert.base64-encode/resource= [File name] reads the file source code (base64 encoding is required for php files)

Http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php

Php://input + [POST DATA] executes php code

Http://127.0.0.1/include.php?file=php://input[POST DATA part]

If you have write permission, write a sentence Trojan horse

Http://127.0.0.1/include.php?file=php://input[POST DATA part]

Reference: https://php.net/manual/zh/wrappers.php.php

Zip:// & bzip2:// & zlib:// protocol

Conditions:

Allow_url_fopen:off/on

Allow_url_include: off/on

Role: zip:// & bzip2:// & zlib:// are compressed streams, you can access the compressed files in the sub-files, more importantly, do not need to specify a suffix, can be modified to any suffix: jpg png gif xxx, and so on.

Example:

Zip:// [absolute path to compressed file]% 23 [child file name within compressed file] (# encoded as% 23)

Compressed phpinfo.txt to phpinfo.zip, compressed package renamed to phpinfo.jpg, and uploaded

Http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt

Compress.bzip2://file.bz2

Compress phpinfo.txt to phpinfo.bz2 and upload (any suffix is also supported)

Http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz2

Compress.zlib://file.gz

Compress phpinfo.txt to phpinfo.gz and upload (any suffix is also supported)

Http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gz

Reference: http://php.net/manual/zh/wrappers.compression.php

Data:// protocol

Conditions:

Allow_url_fopen:on

Allow_url_include: on

Purpose: since PHP > = 5.2.0, you can use the data:// data flow wrapper to pass data in the appropriate format. It can usually be used to execute PHP code.

Usage:

Data://text/plain,data://text/plain;base64

Example:

Data://text/plain

Http://127.0.0.1/include.php?file=data://text/plain,

Data://text/plain;base64

Http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b

Http:// & https:// protocol

Conditions:

Allow_url_fopen:on

Allow_url_include: on

Purpose: regular URL format that allows read-only access to files or resources through the GET method of HTTP 1.0. CTF is commonly used for remote inclusion.

Usage:

Http://example.comhttp://example.com/file.php?var1=val1&var2=val2http://user:password@example.comhttps://example.comhttps://example.com/file.php?var1=val1&var2=val2https://user:password@example.com

Example:

Http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt

Phar:// protocol

The phar:// protocol is similar to zip:// in that it can also access the contents of the zip format package. Here is only one example:

Http://127.0.0.1/include.php?file=phar://E:/phpStudy/PHPTutorial/WWW/phpinfo.zip/phpinfo.txt

In addition, at the Black Hat 2018 conference, researchers announced a new attack technology for PHP applications: phar:// protocol object injection technology.

This is the end of the sample analysis of PHP pseudo-protocol. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.