Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Recommended Posts

        关于.user.ini的相关信息及基本利用可以参考一下文章:

https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html

       我之所以写下这篇随笔,是因为在学习的过程中产生了一些误解及困惑,尽管已经解决,但还是记下来比较好。

1. CGI/FASTCGI

       在php手册中已经指明,.user.ini可以利用在CGI/FASTCGI模式下,即不管是CGI,还是FASTCGI都是可以的。

2. php版本问题

       要想利用.user.ini,除了需要服务器处于CGI或FASTCGI模式下,还需要php版本符合一定条件(可能是需要php版本高于5.3),经过测试,php5.2.17无法利用.user.ini,该版本下的php.ini中缺少.user.ini的相关配置项——user_ini.cache_ttl和user_ini.filename;php5.4.22可以利用.user.ini,php.ini中也包含.user.ini的相关配置项。

3.上传目录包含php可执行文件

       只要目录中包含php文件,就可以利用.user.ini执行相关代码。其实只要当前站点的某一页面是php就可以了,比如index.php

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...