Broken knowledge

php Code

curl_init ： Initialize a cURL conversation , for curl_setopt(), curl_exec() and curl_close() Function USES .

curl_setopt ： Request one url.
among CURLOPT_URL Indicates that you need to obtain URL Address , Then I followed its value .

CURLOPT_RETURNTRANSFER take curl_exec() The information is returned as a file stream , Instead of direct output .

curl_exec, Return on success TRUE, Or return on failure FALSE. However , If CURLOPT_RETURNTRANSFER Options are set , When the function is executed successfully, it will return the execution result , Return... On failure FALSE .

CURLINFO_HTTP_CODE ： The last one received HTTP Code .
curl_getinfo： Returns its value as a string , Because it's set up CURLINFO_HTTP_CODE, So it's the returned status code .
If the status code is not 404, Just go back to exec Result .

PHP escapeshellarg()+escapeshellcmd() Regression of

exp=highlight_file(next(array_reverse(scandir(pos(localeconv())))));

highlight_file() Function to highlight the syntax of the file , This function is show_source() Another name for
next() Output the values of the current element and the next element in the array .
array_reverse() The function returns an array in the reverse order of elements .( It mainly returns the value )
scandir() Function returns an array of files and directories in the specified directory .
post() Output the value of the current element in the array .
localeconv() Function returns an array containing local numbers and currency format information , The first element of the array is ".".
principle ：
loacleconv The function will return a fixed . then pos What we got . Return to the... We constructed payload bring scandir Can return the array under the current directory （ let me put it another way , Is to read out the files in the current directory ） rray_reverse() Output... In reverse order （ The purpose is to output the queried content in positive order ） then next Extract the second element （ take . Filter out ）, Last highlight_file() Show me .

preg_replace() The function ends with /e At the end , There will be a command execution vulnerability , That is to say, if there is /e, And match to the string that matches the regular expression , Then the string of the second parameter will be executed as code
-
Regular expression's \S： Match all non white space characters ;
. Number ： Matching elimination \n Any character outside ;
* Number ： Match preceding characters 0 Times or more
+ Number ： Match preceding characters 1 Times or more （ If you want to in url Internal input + Number , It must be coded ,+ The number code is :%2b）
_
php in , If There are variables in double quotation marks , that php The interpreter will replace it with the result of variable interpretation , But variables in single quotes are not processed （ However, the function in double quotation marks will not be executed

WEB-INF/web.xml Let the cat out of the

WEB-INF yes Java Of WEB Security directory of application . If you want to access the files directly in the page , Must pass web.xml The file can only be accessed by mapping the file to be accessed .WEB-INF It mainly includes the following files or directories ：
/WEB-INF/web.xml：Web Application configuration files , It describes servlet And other application component configuration and naming rules .
/WEB-INF/classes/： Including all the sites used class file , Include servlet class He Fei servlet class, They cannot be included in .jar In file
/WEB-INF/lib/： Deposit web Applications require a variety of JAR file , Place only those required for this application jar file , Such as database driver jar file
/WEB-INF/src/： Source directory , Place each item according to the package name structure java file .
/WEB-INF/database.properties： Database configuration file

tomcat Related information

Causes of loopholes ： Usually web We will use multiple web Use with server , Solve one of them web The performance defects of the server, the advantages of load balancing and the completion of some hierarchical security policies . When using this architecture , Due to improper mapping of directories or files of static resources , It may cause some safety problems , Lead to web.xml Wait until the file can be read . Vulnerability detection and utilization methods ： By finding web.xml file , infer class Path to file , Finally, directly class file , Through decompilation class file , Get the source code of the website . General situation ,jsp By default, the engine is forbidden to access WEB-INF The directory ,Nginx coordination Tomcat When doing load balancing or clustering , The reason for the problem is actually very simple ,Nginx I won't consider configuring other types of engines （Nginx No jsp engine ） And introduce it into its own safety specifications （ This coupling is too high ）, modify Nginx Access to the configuration file is prohibited WEB-INF Just a list ：location ~ ^/WEB-INF/* { deny all; } perhaps return 404; Or other ！