Phpをいじり倒す10の方法

22,721 views

Published on

Published in: Technology
0 Comments
20 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
22,721
On SlideShare
0
From Embeds
0
Number of Embeds
9,569
Actions
Shares
0
Downloads
56
Comments
0
Likes
20
Embeds 0
No embeds

No notes for slide

Phpをいじり倒す10の方法

  1. 1. “ ” 10 10 ways to “exploit” PHP that you might not know
  2. 2. brushup: What is PHP? The most overengineered template engine ever. Often mistaken as a sort of programming language due to its “your-favorite-language-like” syntatic features. The world’s first template engine upon which another template engine is implemented.
  3. 3. Uh, so... do you mean PHP is not a programming language?
  4. 4. Why not customize PHP so it would fit more to your project?
  5. 5. Extensions SAPI ZendEngine2 SAPI module
  6. 6. Extensions SAPI ZendEngine2 SAPI module
  7. 7. Extensions SAPI ZendEngine2 SAPI module
  8. 8. Extensions SAPI ZendEngine2 SAPI module
  9. 9. Extensions SAPI ZendEngine2 SAPI module
  10. 10. threads Slot #1 TLS Slot #2 TLS module global Slot #n TLS
  11. 11. zend_objects.c zend_object_handlers.c zend_objects_API.c zend_alloc.c Objects API Allocator zend_execute.c zend_API.c zend_execute_API.c zend_float.c zend_vm_execute.h zend_operators.c Virtual Machine Utilities zend_stream.c zend_qsort.c zend_gc.c Garbage Stack Linked List Collector zend_compile.c zend_stack.c zend_opcode.c Hashtable zend_ptr_stack.c Opcode emitter zend_llist.c basic data structure zend_hash.c Parser Lexer Parser Lexer zend_language_parser.y zend_language_scanner.l zend_ini.c language core ini parser zend_ini_parser.y zend_ini_scanner.c
  12. 12. <?php ? $a = 1; $b = 2; $c = $a + $b; ?>
  13. 13. T_OPEN_TAG <?php T_VARIABLE $a = 1; ‘=’ $b = 2; T_LNUMBER $c = $a + $b; ‘;’ ?> T_VARIABLE ‘=’ T_LNUMBER ‘;’ T_VARIABLE ‘=’ Lexer T_VARIABLE ‘+’ T_VARIABLE ‘;’ T_CLOSE_TAG
  14. 14. zend_op T_OPEN_TAG ASSIGN T_VARIABLE ‘=’ zend_op T_LNUMBER ‘;’ ASSIGN T_VARIABLE zend_op ‘=’ T_LNUMBER ADD ‘;’ T_VARIABLE zend_op ‘=’ T_VARIABLE ASSIGN ‘+’ T_VARIABLE ‘;’ zend_op_array T_CLOSE_TAG Parser Opcode emitter
  15. 15. opcode handler result op1 op2 extended_value zend_op
  16. 16. op_type opline_num constant var op_array jmp_addr
  17. 17. $a = $b + $c + $d; ASSIGN result ADD op1 op2 ADD ADD ASSIGN result op1 op2 ADD result op1 op2 TMP_VAR
  18. 18. zend_op ASSIGN ASSIGN zend_op FETCH_R ASSIGN zend_op FETCH_W ADD zend_op FETCH_DIM_R ASSIGN FETCH_DIM_W zend_op_array ECHO ADD handlers
  19. 19. array(1, 2, 3, 4, 5)->join(’,’) Java autoboxing PHP ? autobox __autobox()
  20. 20. <?php $a = << ?><?html> <body> <?div id=”{$id}”>test</?div> </body> </?html> <?php // $a DOM var_dump($a); ?>
  21. 21. Boost.PHP
  22. 22. #include "boost/php/module.hpp" #include "boost/php/function.hpp" using namespace boost; class m001_module : public php::module, public php::function_container<m002_module> { public: class handler : public php::module::handler { public: handler(m001_module* mod) :php::module::handler(mod) {} }; public: m001_module(zend_module_entry* entry) : php::module(entry) { // entry->functions = defun("your_function", &handler::your_function); } }; #define BOOST_PHP_MODULE_NAME m001 #define BOOST_PHP_MODULE_CAPITALIZED_NAME M001 #define BOOST_PHP_MODULE_VERSION "0.1" #define BOOST_PHP_MODULE_CLASS_NAME m001_module #include "boost/php/module_def.hpp"
  23. 23. defun(”function_name”, )
  24. 24. Thank you for listening!

×