如何绕过PHP中的函数参数?
How to bypass function parameters in PHP?
我目前正在编写 python 脚本来恢复 Joomla 网站。
它实际上基于发布的缺陷 here.
我怀疑不应该直接调用我定位的 PHP 脚本。
当我 运行 我的脚本反对它时,它 return 是这样的,
{"status":false,"message":"无效登录"}
这是我怀疑负责的函数!
// Import configuration
masterSetup();
$retArray = array(
'status' => true,
'message' => null
);
$enabled = AKFactory::get('kickstart.enabled', false);
if($enabled)
{
$task = getQueryParam('task');
switch($task)
{
case 'ping':
// ping task - realy does nothing!
$timer = AKFactory::getTimer();
$timer->enforce_min_exec_time();
break;
case 'startRestore':
AKFactory::nuke(); // Reset the factory
// Let the control flow to the next step (the rest of the code is common!!)
case 'stepRestore':
$engine = AKFactory::getUnarchiver(); // Get the engine
$observer = new RestorationObserver(); // Create a new observer
$engine->attach($observer); // Attach the observer
$engine->tick();
$ret = $engine->getStatusArray();
if( $ret['Error'] != '' )
{
$retArray['status'] = false;
$retArray['done'] = true;
$retArray['message'] = $ret['Error'];
}
elseif( !$ret['HasRun'] )
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = true;
}
else
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = false;
$retArray['factory'] = AKFactory::serialize();
}
break;
这是 MasterSetup()
function masterSetup()
{
// ------------------------------------------------------------
// 1. Import basic setup parameters
// ------------------------------------------------------------
$ini_data = null;
// In restore.php mode, require restoration.php or fail
if(!defined('KICKSTART'))
{
// This is the standalone mode, used by Akeeba Backup Professional. It looks for a restoration.php
// file to perform its magic. If the file is not there, we will abort.
$setupFile = 'restoration.php';
if( !file_exists($setupFile) )
{
// Uh oh... Somebody tried to pooh on our back yard. Lock the gates! Don't let the traitor inside!
AKFactory::set('kickstart.enabled', false);
return false;
}
// Load restoration.php. It creates a global variable named $restoration_setup
require_once $setupFile;
$ini_data = $restoration_setup;
if(empty($ini_data))
{
// No parameters fetched. Darn, how am I supposed to work like that?!
AKFactory::set('kickstart.enabled', false);
return false;
}
AKFactory::set('kickstart.enabled', true);
}
else
{
// Maybe we have $restoration_setup defined in the head of kickstart.php
global $restoration_setup;
if(!empty($restoration_setup) && !is_array($restoration_setup)) {
$ini_data = AKText::parse_ini_file($restoration_setup, false, true);
} elseif(is_array($restoration_setup)) {
$ini_data = $restoration_setup;
}
}
我的问题是,是否可以绕过解析为函数的参数并强制函数为 return true?
我想并非总是如此,但如果 Function 参数是从 http 请求中获取的,那么它可能会被绕过,例如以下内容
这里清除了 $_REQUEST 但没有清除 $_POST 和 $_GET 因此留下了绕过的空隙
if(!empty($_REQUEST))
{
foreach($_REQUEST as $key => $value)
{
unset($_REQUEST[$key]);
}
}
在我的例子中,它只是避免将函数设置为 return 默认值
function getQueryParam( $key, $default = null )
{
if(array_key_exists($key, $_REQUEST)) {
$value = $_REQUEST[$key];
} elseif(array_key_exists($key, $_POST)) {
$value = $_POST[$key];
} elseif(array_key_exists($key, $_GET)) {
$value = $_GET[$key];
} else {
return $default;
}
return $value;
}
我目前正在编写 python 脚本来恢复 Joomla 网站。
它实际上基于发布的缺陷 here.
我怀疑不应该直接调用我定位的 PHP 脚本。
当我 运行 我的脚本反对它时,它 return 是这样的,
{"status":false,"message":"无效登录"}
这是我怀疑负责的函数!
// Import configuration
masterSetup();
$retArray = array(
'status' => true,
'message' => null
);
$enabled = AKFactory::get('kickstart.enabled', false);
if($enabled)
{
$task = getQueryParam('task');
switch($task)
{
case 'ping':
// ping task - realy does nothing!
$timer = AKFactory::getTimer();
$timer->enforce_min_exec_time();
break;
case 'startRestore':
AKFactory::nuke(); // Reset the factory
// Let the control flow to the next step (the rest of the code is common!!)
case 'stepRestore':
$engine = AKFactory::getUnarchiver(); // Get the engine
$observer = new RestorationObserver(); // Create a new observer
$engine->attach($observer); // Attach the observer
$engine->tick();
$ret = $engine->getStatusArray();
if( $ret['Error'] != '' )
{
$retArray['status'] = false;
$retArray['done'] = true;
$retArray['message'] = $ret['Error'];
}
elseif( !$ret['HasRun'] )
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = true;
}
else
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = false;
$retArray['factory'] = AKFactory::serialize();
}
break;
这是 MasterSetup()
function masterSetup()
{
// ------------------------------------------------------------
// 1. Import basic setup parameters
// ------------------------------------------------------------
$ini_data = null;
// In restore.php mode, require restoration.php or fail
if(!defined('KICKSTART'))
{
// This is the standalone mode, used by Akeeba Backup Professional. It looks for a restoration.php
// file to perform its magic. If the file is not there, we will abort.
$setupFile = 'restoration.php';
if( !file_exists($setupFile) )
{
// Uh oh... Somebody tried to pooh on our back yard. Lock the gates! Don't let the traitor inside!
AKFactory::set('kickstart.enabled', false);
return false;
}
// Load restoration.php. It creates a global variable named $restoration_setup
require_once $setupFile;
$ini_data = $restoration_setup;
if(empty($ini_data))
{
// No parameters fetched. Darn, how am I supposed to work like that?!
AKFactory::set('kickstart.enabled', false);
return false;
}
AKFactory::set('kickstart.enabled', true);
}
else
{
// Maybe we have $restoration_setup defined in the head of kickstart.php
global $restoration_setup;
if(!empty($restoration_setup) && !is_array($restoration_setup)) {
$ini_data = AKText::parse_ini_file($restoration_setup, false, true);
} elseif(is_array($restoration_setup)) {
$ini_data = $restoration_setup;
}
}
我的问题是,是否可以绕过解析为函数的参数并强制函数为 return true?
我想并非总是如此,但如果 Function 参数是从 http 请求中获取的,那么它可能会被绕过,例如以下内容
这里清除了 $_REQUEST 但没有清除 $_POST 和 $_GET 因此留下了绕过的空隙
if(!empty($_REQUEST))
{
foreach($_REQUEST as $key => $value)
{
unset($_REQUEST[$key]);
}
}
在我的例子中,它只是避免将函数设置为 return 默认值
function getQueryParam( $key, $default = null )
{
if(array_key_exists($key, $_REQUEST)) {
$value = $_REQUEST[$key];
} elseif(array_key_exists($key, $_POST)) {
$value = $_POST[$key];
} elseif(array_key_exists($key, $_GET)) {
$value = $_GET[$key];
} else {
return $default;
}
return $value;
}