毕业设计之php RASP(三) 收尾

一个是HTTP信息、堆栈信息，另外则是把所有信息聚集起来然后发送给服务器，用WEB界面进行展示

堆栈信息

这部分比较好做，因为php本身就有debug_print_backtrace函数可以实现，稍微改一改即可。

把这三部分去掉即可，这样便可以获取到底层函数的调用栈。

当然还有一个就是获取每个被调用函数的参数。

void debug_backtrace_args(zval *arg_array,char *tmp_result)
{
  zval **tmp;
  HashPosition iterator;
  int i = 0;

  zend_hash_internal_pointer_reset_ex(arg_array->value.ht, &iterator);
  while (zend_hash_get_current_data_ex(arg_array->value.ht, (void **) &tmp, &iterator) == SUCCESS) {
    if (i++) {
      strcat(tmp_result,", ");
    }
    strcat(tmp_result,Z_STRVAL_PP(tmp));
    zend_hash_move_forward_ex(arg_array->value.ht, &iterator);
  }
}

HTTP信息

这部分也可以从php源码里面找到一些，比如请求的url之类的

static void sapi_thttpd_register_variables(zval *track_vars_array TSRMLS_DC)
{
php_register_variable("PHP_SELF", SG(request_info).request_uri, track_vars_array TSRMLS_CC);
	php_register_variable("SERVER_SOFTWARE", SERVER_SOFTWARE, track_vars_array TSRMLS_CC);
	php_register_variable("GATEWAY_INTERFACE", "CGI/1.1", track_vars_array TSRMLS_CC);
	php_register_variable("REQUEST_METHOD", (char *) SG(request_info).request_method, track_vars_array TSRMLS_CC);
	php_register_variable("REQUEST_URI", SG(request_info).request_uri, track_vars_array TSRMLS_CC);
	php_register_variable("PATH_TRANSLATED", SG(request_info).path_translated, track_vars_array TSRMLS_CC);
}

我这里获取简单一点

static void get_http_info(char *info){
  sprintf(info,"%s %s\r\n\
  Cookie:  %s \r\n\
  Data:  %s",SG(request_info).request_method,SG(request_info).request_uri,SG(request_info).cookie_data,SG(request_info).post_data);

发送信息

为了方便点就利用http来发送，在github找一份已经封装好的库

int post(int sd, struct http_url *url, char *data) {
  char buf[1024] = {0};
  int data_len = strlen(data) - 1;
  
  snprintf(
    buf,
    sizeof(buf),
    "\
POST /%s HTTP/1.1\r\n\
User-Agent: Mozilla/4.0 (Linux)\r\n\
Host: %s\r\n\
Accept: */*\r\n\
Content-Length: %d\r\n\
Connection: close\r\n\
\r\n\
%s\r\n\
\r\n",
    url->query,
    url->host,
    data_len,
    data);

  if (http_send(sd, buf)) {
    perror("http_send");
    return -1;
  }

  return 0;
}

static void http_get_request(char *data){
  struct http_url *url;
  struct http_message msg;
  int sd;

  if (!(url = http_parse_url("http://10.211.55.4/lemon_api.php")) ||
      !(sd = http_connect(url))) {
    free(url);
    perror("http_connect");
    return -1;
  }

  memset(&msg, 0, sizeof(msg));

  if (!post(sd, url, data)) {
    while (http_response(sd, &msg) > 0) {
      if (msg.content) {
        write(1, msg.content, msg.length);
      }
    }
  }

  free(url);
  close(sd);

  if (msg.header.code != 200) {
    fprintf(
      stderr,
      "error: returned HTTP code %d\n",
      msg.header.code);
  }
}

github给了一个post数据的样例，不过它那出现一点小问题，就是在post函数里面，buf未初始化。

信息展示

测试代码

<?php
function aa(){
    $a = @$_GET['i'];
    $b = "sys"."tem";
    $command = "echo ".$a." iaml3m0n ";
    $b($command);
}
aa();

{'http':'R0VUIC8yLnBocD9pPWBpZGAmaTE9bGVtb24NCiAgQ29va2llOiAgKG51bGwpIA0KICBEYXRhOiAgKG51bGwp','stack':'IzAgc3lzdGVtKGVjaG8gYGlkYCBpYW1sM20wbiApIGNhbGxlZCBhdCBbL3Zhci93d3cvaHRtbC9iaXNoZS8xLnBocDo3XQojMSBhYSgpIGNhbGxlZCBhdCBbL3Zhci93d3cvaHRtbC9iaXNoZS8xLnBocDoxMF0KIzIgaW5jbHVkZSgvdmFyL3d3dy9odG1sL2Jpc2hlLzEucGhwKSBjYWxsZWQgYXQgWy92YXIvd3d3L2h0bWwvYmlzaGUvMi5waHA6Ml0K'}

解码出来:
#0 system(echo `id` iaml3m0n ) called at [/var/www/html/bishe/1.php:7]
#1 aa() called at [/var/www/html/bishe/1.php:10]
#2 include(/var/www/html/bishe/1.php) called at [/var/www/html/bishe/2.php:2]

GET /2.php?i=`id`&i1=lemon
Cookie:  (null) 
Data:  (null)