怎么看到别人微信聊天记录 不微信密码,可以看到对方聊天记录吗

破绽先容:php是一款被普遍使用的编程语言,可以被嵌套在html里用做web程序开发,然则80sec发现在php的Mail函数设计上存在问题,可能导致绕过其他的如open_basedir等限制以httpd历程的身份读写随便文件,连系应用程序上下文也可能导致文件读写破绽。破绽剖析:php的Mail函数在php源码里以如下形式实现: Php 代码复制代码 ...

破绽先容:php是一款被普遍使用的编程语言,可以被嵌套在html里用做web程序开发,然则80sec发现在php的Mail函数设计上存在问题,可能导致绕过其他的如open_basedir等限制以httpd历程的身份读写随便文件,连系应用程序上下文也可能导致文件读写破绽。破绽剖析:php的Mail函数在php源码里以如下形式实现: Php 代码复制代码 ...... if(PG(safe_mode)amp;amp;(ZEND_NUM_ARGS()==5)){ php_error_docref(NULLTSRMLS_CC,E_WARNING,"SAFEMODERestrictionineffect.ThefifthparameterisdisabledinSAFEMODE."); RETURN_FALSE; } if(zend_parse_parameters(ZEND_NUM_ARGS()TSRMLS_CC,"sss|ss", amp;to,amp;to_len, amp;subject,amp;subject_len, amp;message,amp;message_len, amp;headers,amp;headers_len, amp;extra_cmd,amp;extra_cmd_len )==FAILURE){ return; } ...... if(force_extra_parameters){ extra_cmd=estrdup(force_extra_parameters); }elseif(extra_cmd){ extra_cmd=php_escape_shell_cmd(extra_cmd); } if(php_mail(to_r,subject_r,message,headers,extra_cmdTSRMLS_CC)){ RETVAL_TRUE; }else{ RETVAL_FALSE; } ..... ...... if (PG(safe_mode) amp;amp; (ZEND_NUM_ARGS() == 5)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE."); RETURN_FALSE; } if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss", amp;to, amp;to_len, amp;subject, amp;subject_len, amp;message, amp;message_len, amp;headers, amp;headers_len, amp;extra_cmd, amp;extra_cmd_len ) == FAILURE) { return; } ...... if (force_extra_parameters) { extra_cmd = estrdup(force_extra_parameters); } else if (extra_cmd) { extra_cmd = php_escape_shell_cmd(extra_cmd); } if (php_mail(to_r, subject_r, message, headers, extra_cmd TSRMLS_CC)) { RETVAL_TRUE; } else { RETVAL_FALSE; } ..... 在php_mail中 Php 代码复制代码 PHPAPIintphp_mail(char*to,char*subject,char*message,char*headers,char*extra_cmdTSRMLS_DC) { .... FILE*sendmail; intret; char*sendmail_path=INI_STR("sendmail_path"); char*sendmail_cmd=NULL; .... if(extra_cmd!=NULL){ sendmail_cmd=emalloc(strlen(sendmail_path)+strlen(extra_cmd)+2); strcpy(sendmail_cmd,sendmail_path); strcat(sendmail_cmd,""); strcat(sendmail_cmd,extra_cmd); }else{ sendmail_cmd=sendmail_path; } .... /*Sincepopen()doesn'tindicateiftheinternalfork()doesn'twork *(e.g.theshellcan'tbeexecuted)weexplicitelysetitto0tobe *surewedon'tcatchanyoldererrnovalue.*/ errno=0; sendmail=popen(sendmail_cmd,"w"); PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC) { .... FILE *sendmail; int ret; char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL; .... if (extra_cmd != NULL) { sendmail_cmd = emalloc (strlen (sendmail_path) + strlen (extra_cmd) + 2); strcpy (sendmail_cmd, sendmail_path); strcat (sendmail_cmd, " "); strcat (sendmail_cmd, extra_cmd); } else { sendmail_cmd = sendmail_path; } .... /* Since popen() doesn't indicate if the internal fork() doesn't work * (e.g. the shell can't be executed) we explicitely set it to 0 to be * sure we don't catch any older errno value. */ errno = 0; sendmail = popen(sendmail_cmd, "w"); 若是是Linux系统,Mail函数将拼接INI_STR(”sendmail_path”)的内容和分外的参数来执行下令,然则分外的参数在拼接之前经由php_escape_shell_cmd的处置,以是我们无法执行分外的下令。然则通过查阅sendmail自身的下令辅助,我们可以发现sendmail的某些参数是可以用来读写文件的,行使这个特征若是我们控制第5个参数的时刻我们一样可以获得对文件系统的读写权限而且不受open_basedir等限制。 破绽测试: Php 代码复制代码 本站内容均为原创,转载请务必保留署名与链接!php mail function open_basedir bypass:http://www.80sec.com/php-mail-function-open_basedir-bypass.html

  • 发表于 2021-02-13 08:38
  • 阅读 ( 195 )
  • 分类:互联网

0 条评论

请先 登录 后评论
小凤凰i
小凤凰i

688 篇文章

你可能感兴趣的文章

相关问题