Phpをいじり倒す10の方法
- 1. “ ” 10 10 ways to “exploit” PHP that you might not know
- 2. brushup: What is PHP? The most overengineered template engine ever. Often mistaken as a sort of programming language due to its “your-favorite-language-like” syntatic features. The world’s first template engine upon which another template engine is implemented.
- 3. Uh, so... do you mean PHP is not a programming language?
- 6. Why not customize PHP so it would fit more to your project?
- 9. Extensions SAPI ZendEngine2 SAPI module
- 10. Extensions SAPI ZendEngine2 SAPI module
- 11. Extensions SAPI ZendEngine2 SAPI module
- 12. Extensions SAPI ZendEngine2 SAPI module
- 13. Extensions SAPI ZendEngine2 SAPI module
- 15. threads Slot #1 TLS Slot #2 TLS module global Slot #n TLS
- 16. zend_objects.c zend_object_handlers.c zend_objects_API.c zend_alloc.c Objects API Allocator zend_execute.c zend_API.c zend_execute_API.c zend_float.c zend_vm_execute.h zend_operators.c Virtual Machine Utilities zend_stream.c zend_qsort.c zend_gc.c Garbage Stack Linked List Collector zend_compile.c zend_stack.c zend_opcode.c Hashtable zend_ptr_stack.c Opcode emitter zend_llist.c basic data structure zend_hash.c Parser Lexer Parser Lexer zend_language_parser.y zend_language_scanner.l zend_ini.c language core ini parser zend_ini_parser.y zend_ini_scanner.c
- 17. <?php ? $a = 1; $b = 2; $c = $a + $b; ?>
- 18. T_OPEN_TAG <?php T_VARIABLE $a = 1; ‘=’ $b = 2; T_LNUMBER $c = $a + $b; ‘;’ ?> T_VARIABLE ‘=’ T_LNUMBER ‘;’ T_VARIABLE ‘=’ Lexer T_VARIABLE ‘+’ T_VARIABLE ‘;’ T_CLOSE_TAG
- 19. zend_op T_OPEN_TAG ASSIGN T_VARIABLE ‘=’ zend_op T_LNUMBER ‘;’ ASSIGN T_VARIABLE zend_op ‘=’ T_LNUMBER ADD ‘;’ T_VARIABLE zend_op ‘=’ T_VARIABLE ASSIGN ‘+’ T_VARIABLE ‘;’ zend_op_array T_CLOSE_TAG Parser Opcode emitter
- 21. opcode handler result op1 op2 extended_value zend_op
- 22. op_type opline_num constant var op_array jmp_addr
- 24. $a = $b + $c + $d; ASSIGN result ADD op1 op2 ADD ADD ASSIGN result op1 op2 ADD result op1 op2 TMP_VAR
- 27. zend_op ASSIGN ASSIGN zend_op FETCH_R ASSIGN zend_op FETCH_W ADD zend_op FETCH_DIM_R ASSIGN FETCH_DIM_W zend_op_array ECHO ADD handlers
- 34. array(1, 2, 3, 4, 5)->join(’,’) Java autoboxing PHP ? autobox __autobox()
- 38. <?php $a = << ?><?html> <body> <?div id=”{$id}”>test</?div> </body> </?html> <?php // $a DOM var_dump($a); ?>
- 45. Boost.PHP
- 47. #include "boost/php/module.hpp" #include "boost/php/function.hpp" using namespace boost; class m001_module : public php::module, public php::function_container<m002_module> { public: class handler : public php::module::handler { public: handler(m001_module* mod) :php::module::handler(mod) {} }; public: m001_module(zend_module_entry* entry) : php::module(entry) { // entry->functions = defun("your_function", &handler::your_function); } }; #define BOOST_PHP_MODULE_NAME m001 #define BOOST_PHP_MODULE_CAPITALIZED_NAME M001 #define BOOST_PHP_MODULE_VERSION "0.1" #define BOOST_PHP_MODULE_CLASS_NAME m001_module #include "boost/php/module_def.hpp"
- 50. defun(”function_name”, )
- 53. Thank you for listening!