毕业设计之php RASP(三) 收尾
一个是HTTP信息、堆栈信息,另外则是把所有信息聚集起来然后发送给服务器,用WEB界面进行展示
堆栈信息
这部分比较好做,因为php本身就有debug_print_backtrace函数可以实现,稍微改一改即可。
把这三部分去掉即可,这样便可以获取到底层函数的调用栈。
当然还有一个就是获取每个被调用函数的参数。
void debug_backtrace_args(zval *arg_array,char *tmp_result)
{
zval **tmp;
HashPosition iterator;
int i = 0;
zend_hash_internal_pointer_reset_ex(arg_array->value.ht, &iterator);
while (zend_hash_get_current_data_ex(arg_array->value.ht, (void **) &tmp, &iterator) == SUCCESS) {
if (i++) {
strcat(tmp_result,", ");
}
strcat(tmp_result,Z_STRVAL_PP(tmp));
zend_hash_move_forward_ex(arg_array->value.ht, &iterator);
}
}
HTTP信息
这部分也可以从php源码里面找到一些,比如请求的url之类的
static void sapi_thttpd_register_variables(zval *track_vars_array TSRMLS_DC)
{
php_register_variable("PHP_SELF", SG(request_info).request_uri, track_vars_array TSRMLS_CC);
php_register_variable("SERVER_SOFTWARE", SERVER_SOFTWARE, track_vars_array TSRMLS_CC);
php_register_variable("GATEWAY_INTERFACE", "CGI/1.1", track_vars_array TSRMLS_CC);
php_register_variable("REQUEST_METHOD", (char *) SG(request_info).request_method, track_vars_array TSRMLS_CC);
php_register_variable("REQUEST_URI", SG(request_info).request_uri, track_vars_array TSRMLS_CC);
php_register_variable("PATH_TRANSLATED", SG(request_info).path_translated, track_vars_array TSRMLS_CC);
}
我这里获取简单一点
static void get_http_info(char *info){
sprintf(info,"%s %s\r\n\
Cookie: %s \r\n\
Data: %s",SG(request_info).request_method,SG(request_info).request_uri,SG(request_info).cookie_data,SG(request_info).post_data);
发送信息
为了方便点就利用http来发送,在github找一份已经封装好的库
int post(int sd, struct http_url *url, char *data) {
char buf[1024] = {0};
int data_len = strlen(data) - 1;
snprintf(
buf,
sizeof(buf),
"\
POST /%s HTTP/1.1\r\n\
User-Agent: Mozilla/4.0 (Linux)\r\n\
Host: %s\r\n\
Accept: */*\r\n\
Content-Length: %d\r\n\
Connection: close\r\n\
\r\n\
%s\r\n\
\r\n",
url->query,
url->host,
data_len,
data);
if (http_send(sd, buf)) {
perror("http_send");
return -1;
}
return 0;
}
static void http_get_request(char *data){
struct http_url *url;
struct http_message msg;
int sd;
if (!(url = http_parse_url("http://10.211.55.4/lemon_api.php")) ||
!(sd = http_connect(url))) {
free(url);
perror("http_connect");
return -1;
}
memset(&msg, 0, sizeof(msg));
if (!post(sd, url, data)) {
while (http_response(sd, &msg) > 0) {
if (msg.content) {
write(1, msg.content, msg.length);
}
}
}
free(url);
close(sd);
if (msg.header.code != 200) {
fprintf(
stderr,
"error: returned HTTP code %d\n",
msg.header.code);
}
}
github给了一个post数据的样例,不过它那出现一点小问题,就是在post函数里面,buf未初始化。
信息展示
测试代码
<?php
function aa(){
$a = @$_GET['i'];
$b = "sys"."tem";
$command = "echo ".$a." iaml3m0n ";
$b($command);
}
aa();
{'http':'R0VUIC8yLnBocD9pPWBpZGAmaTE9bGVtb24NCiAgQ29va2llOiAgKG51bGwpIA0KICBEYXRhOiAgKG51bGwp','stack':'IzAgc3lzdGVtKGVjaG8gYGlkYCBpYW1sM20wbiApIGNhbGxlZCBhdCBbL3Zhci93d3cvaHRtbC9iaXNoZS8xLnBocDo3XQojMSBhYSgpIGNhbGxlZCBhdCBbL3Zhci93d3cvaHRtbC9iaXNoZS8xLnBocDoxMF0KIzIgaW5jbHVkZSgvdmFyL3d3dy9odG1sL2Jpc2hlLzEucGhwKSBjYWxsZWQgYXQgWy92YXIvd3d3L2h0bWwvYmlzaGUvMi5waHA6Ml0K'}
解码出来:
#0 system(echo `id` iaml3m0n ) called at [/var/www/html/bishe/1.php:7]
#1 aa() called at [/var/www/html/bishe/1.php:10]
#2 include(/var/www/html/bishe/1.php) called at [/var/www/html/bishe/2.php:2]
GET /2.php?i=`id`&i1=lemon
Cookie: (null)
Data: (null)
know it then do it
