VLD

• Vulcan Logic Dumper
• VLD(Vulcan Logic Dumper)是一个在Zend引擎中，以挂钩的方式实现的用于输出PHP脚本生成的中间代码（执行单元）的扩展。 它可以在一定程序上查看Zend引擎内部的一些实现原理，是我们学习PHP源码的必备良器。
• http://www.phppan.com/2011/05/vld-extension/这个文章可以看到vld的大概模式
• 另一点需要注意的是opcode是里面的标准命令表。
• 我们查看元素。发现index.php.txt
• 访问得到index.php的vld

Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 23, Position 2 = 38
Branch analysis from position: 23
Jump found. Position 1 = 26, Position 2 = 35
Branch analysis from position: 26
Jump found. Position 1 = 29, Position 2 = 32
Branch analysis from position: 29
Jump found. Position 1 = 34
Branch analysis from position: 34
Jump found. Position 1 = 37
Branch analysis from position: 37
Jump found. Position 1 = 40
Branch analysis from position: 40
Return found
Branch analysis from position: 32
Jump found. Position 1 = 37
Branch analysis from position: 37
Branch analysis from position: 35
Jump found. Position 1 = 40
Branch analysis from position: 40
Branch analysis from position: 38
Return found
filename:       C:\ctf\index.php
function name:  (null)
number of ops:  44
compiled vars:  !0 = $a, !1 = $b, !2 = $c
line     # *  op                           fetch          ext  return  operands
---------------------------------------------------------------------------------
   2     0  >   EXT_STMT
         1      ECHO                                                     'do+you+know+Vulcan+Logic+Dumper%3F%3Cbr%3E'
   3     2      EXT_STMT
         3      BEGIN_SILENCE                                    ~0
         4      FETCH_R                      global              $1      '_GET'
         5      FETCH_DIM_R                                      $2      $1, 'flag1'
         6      END_SILENCE                                              ~0
         7      ASSIGN                                                   !0, $2
   4     8      EXT_STMT
         9      BEGIN_SILENCE                                    ~4
        10      FETCH_R                      global              $5      '_GET'
        11      FETCH_DIM_R                                      $6      $5, 'flag2'
        12      END_SILENCE                                              ~4
        13      ASSIGN                                                   !1, $6
   5    14      EXT_STMT
        15      BEGIN_SILENCE                                    ~8
        16      FETCH_R                      global              $9      '_GET'
        17      FETCH_DIM_R                                      $10     $9, 'flag3'
        18      END_SILENCE                                              ~8
        19      ASSIGN                                                   !2, $10
   6    20      EXT_STMT
        21      IS_EQUAL                                         ~12     !0, 'fvhjjihfcv'
        22    > JMPZ                                                     ~12, ->38
   7    23  >   EXT_STMT
        24      IS_EQUAL                                         ~13     !1, 'gfuyiyhioyf'
        25    > JMPZ                                                     ~13, ->35
   8    26  >   EXT_STMT
        27      IS_EQUAL                                         ~14     !2, 'yugoiiyhi'
        28    > JMPZ                                                     ~14, ->32
   9    29  >   EXT_STMT
        30      ECHO                                                     'the+next+step+is+xxx.zip'
  10    31    > JMP                                                      ->34
  11    32  >   EXT_STMT
        33      ECHO                                                     'false%3Cbr%3E'
  13    34  > > JMP                                                      ->37
  14    35  >   EXT_STMT
        36      ECHO                                                     'false%3Cbr%3E'
  16    37  > > JMP                                                      ->40
  17    38  >   EXT_STMT
        39      ECHO                                                     'false%3Cbr%3E'
  19    40  >   NOP
  22    41      EXT_STMT
        42      ECHO                                                     '%3C%21--+index.php.txt+%3F%3E%0D%0A%0D%0A'
        43    > RETURN                                                   1

branch: #  0; line:     2-    6; sop:     0; eop:    22; out1:  23; out2:  38
branch: # 23; line:     7-    7; sop:    23; eop:    25; out1:  26; out2:  35
branch: # 26; line:     8-    8; sop:    26; eop:    28; out1:  29; out2:  32
branch: # 29; line:     9-   10; sop:    29; eop:    31; out1:  34
branch: # 32; line:    11-   13; sop:    32; eop:    33; out1:  34
branch: # 34; line:    13-   13; sop:    34; eop:    34; out1:  37
branch: # 35; line:    14-   16; sop:    35; eop:    36; out1:  37
branch: # 37; line:    16-   16; sop:    37; eop:    37; out1:  40
branch: # 38; line:    17-   19; sop:    38; eop:    39; out1:  40
branch: # 40; line:    19-   22; sop:    40; eop:    43
path #1: 0, 23, 26, 29, 34, 37, 40,
path #2: 0, 23, 26, 32, 34, 37, 40,
path #3: 0, 23, 35, 37, 40,
path #4: 0, 38, 40,
do you know Vulcan Logic Dumper?<br>false<br><!-- index.php.txt ?>

• 百度php opcode manual 看官方给的对照表。一一对照写出来php代码

 1 <?php
 2 
 3     echo ‘do you know Vulcan Logic Dumper?<br>‘;
 4     $a=$_GET[‘flag1‘];
 5     $b=$_GET[‘flag2‘];
 6     $c=$_GET[‘flag3‘];
 7 
 8     if($a!=‘fvhjjihfcv‘)
 9     {
10         echo ‘false<br>‘;
11     }
12     elseif($b!=‘gfuyiyhioyf‘)
13     {
14         echo ‘false<br>‘;
15     }
16     elseif($c!=‘yugoiiyhi‘)
17     {
18         echo ‘false<br>‘;
19     }
20     else
21     {
22         echo ‘the next step is xxx.zip‘;
23     }
24 
25 
26     echo ‘<!-- index.php.txt ?>‘;
 ?>

• 输入index.php?flag1=fvhjjihfcv&flag2=gfuyiyhioyf&flag3=yugoiiyhi得到一个路径1chunqiu.zip
• 访问可以下载。得到一群源码

    public function safe_data($value){
        if( MAGIC_QUOTES_GPC ){
            stripcslashes($value);
        }
        return addslashes($value);
    }

    $db = new mysql_db();
    $username = $db->safe_data($_POST['username']);
    $password = $db->my_md5($_POST['password']);
    $number = is_numeric($_POST['number']) ? $_POST['number'] : 1;

    $username = trim(str_replace($number, '', $username));

• 这两端代码可以看到，虽然username safe-data了 但是后面的str_replace出现了问题
• 构造 number=0&username=%00'&password=1 出现报错。
• 图片.png
• 之后进行报错注入
• 看这篇https://blog.csdn.net/qq_36003316/article/details/90815527