PHP-FPM unix socket抓包

郭思淼

2023-12-01

Sniffer for Unix Domain Sockets
https://github.com/jonschipp/unixsniff

Dependencies

apt-get install socat bash

test.php

<?php

echo 11;

------------------------------------------------------------------

Use

Enable sniffing on socket

$ ./unixsniff start /tmp/php-fpm.sock

访问http://127.0.0.1/test.php

> 2022/03/01 18:55:41.670565 length=936 from=0 to=935
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00 ................
01 04 00 01 03 79 07 00 0f 1e 53 43 52 49 50 54 .....y....SCRIPT
5f 46 49 4c 45 4e 41 4d 45 2f 68 6f 6d 65 2f 77 _FILENAME/home/w
77 77 72 6f 6f 74 2f 64 65 66 61 75 6c 74 2f 74 wwroot/default/t
65 73 74 2e 70 68 70 0c 00 51 55 45 52 59 5f 53 est.php..QUERY_S
54 52 49 4e 47 0e 03 52 45 51 55 45 53 54 5f 4d TRING..REQUEST_M
45 54 48 4f 44 47 45 54 0c 00 43 4f 4e 54 45 4e ETHODGET..CONTEN
54 5f 54 59 50 45 0e 00 43 4f 4e 54 45 4e 54 5f T_TYPE..CONTENT_
4c 45 4e 47 54 48 0b 09 53 43 52 49 50 54 5f 4e LENGTH..SCRIPT_N
41 4d 45 2f 74 65 73 74 2e 70 68 70 0b 09 52 45 AME/test.php..RE
51 55 45 53 54 5f 55 52 49 2f 74 65 73 74 2e 70 QUEST_URI/test.p
68 70 0c 09 44 4f 43 55 4d 45 4e 54 5f 55 52 49 hp..DOCUMENT_URI
2f 74 65 73 74 2e 70 68 70 0d 15 44 4f 43 55 4d /test.php..DOCUM
45 4e 54 5f 52 4f 4f 54 2f 68 6f 6d 65 2f 77 77 ENT_ROOT/home/ww
77 72 6f 6f 74 2f 64 65 66 61 75 6c 74 0f 08 53 wroot/default..S
45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 ERVER_PROTOCOLHT
54 50 2f 31 2e 31 0e 04 52 45 51 55 45 53 54 5f TP/1.1..REQUEST_
53 43 48 45 4d 45 68 74 74 70 11 07 47 41 54 45 SCHEMEhttp..GATE
57 41 59 5f 49 4e 54 45 52 46 41 43 45 43 47 49 WAY_INTERFACECGI
2f 31 2e 31 0f 0c 53 45 52 56 45 52 5f 53 4f 46 /1.1..SERVER_SOF
54 57 41 52 45 6e 67 69 6e 78 2f 31 2e 32 30 2e TWAREnginx/1.20.
31 0b 0c 52 45 4d 4f 54 45 5f 41 44 44 52 31 39 1..REMOTE_ADDR19
32 2e 31 36 38 2e 31 37 2e 31 0b 05 52 45 4d 4f 2.168.17.1..REMO
54 45 5f 50 4f 52 54 36 33 33 39 38 0b 0e 53 45 TE_PORT63398..SE
52 56 45 52 5f 41 44 44 52 31 39 32 2e 31 36 38 RVER_ADDR192.168
2e 31 37 2e 31 32 39 0b 02 53 45 52 56 45 52 5f .17.129..SERVER_
50 4f 52 54 38 30 0b 01 53 45 52 56 45 52 5f 4e PORT80..SERVER_N
41 4d 45 5f 0f 03 52 45 44 49 52 45 43 54 5f 53 AME_..REDIRECT_S
54 41 54 55 53 32 30 30 0f 30 50 48 50 5f 41 44 TATUS200.0PHP_AD
4d 49 4e 5f 56 41 4c 55 45 6f 70 65 6e 5f 62 61 MIN_VALUEopen_ba
73 65 64 69 72 3d 2f 68 6f 6d 65 2f 77 77 77 72 sedir=/home/wwwr
6f 6f 74 2f 64 65 66 61 75 6c 74 2f 3a 2f 74 6d oot/default/:/tm
70 2f 3a 2f 70 72 6f 63 2f 09 0e 48 54 54 50 5f p/:/proc/..HTTP_
48 4f 53 54 31 39 32 2e 31 36 38 2e 31 37 2e 31 HOST192.168.17.1
32 39 0f 0a 29..
48 54 54 50 5f 43 4f 4e 4e 45 43 54 49 4f 4e 6b HTTP_CONNECTIONk
65 65 70 2d 61 6c 69 76 65 1e 01 48 54 54 50 5f eep-alive..HTTP_
55 50 47 52 41 44 45 5f 49 4e 53 45 43 55 52 45 UPGRADE_INSECURE
5f 52 45 51 55 45 53 54 53 31 0f 80 00 00 81 48 _REQUESTS1.....H
54 54 50 5f 55 53 45 52 5f 41 47 45 4e 54 4d 6f TTP_USER_AGENTMo
7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f zilla/5.0 (Windo
77 73 20 4e 54 20 31 30 2e 30 3b 20 57 4f 57 36 ws NT 10.0; WOW6
34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 4) AppleWebKit/5
33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 37.36 (KHTML, li
6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 ke Gecko) Chrome
2f 35 35 2e 30 2e 32 38 38 33 2e 38 37 20 55 42 /55.0.2883.87 UB
72 6f 77 73 65 72 2f 36 2e 32 2e 34 30 39 38 2e rowser/6.2.4098.
33 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0b 3 Safari/537.36.
4a 48 54 54 50 5f 41 43 43 45 50 54 74 65 78 74 JHTTP_ACCEPTtext
2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f /html,applicatio
6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c n/xhtml+xml,appl
69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e ication/xml;q=0.
39 2c 69 6d 61 67 65 2f 77 65 62 70 2c 2a 2f 2a 9,image/webp,*/*
3b 71 3d 30 2e 38 14 0d 48 54 54 50 5f 41 43 43 ;q=0.8..HTTP_ACC
45 50 54 5f 45 4e 43 4f 44 49 4e 47 67 7a 69 70 EPT_ENCODINGgzip
2c 20 64 65 66 6c 61 74 65 14 0e 48 54 54 50 5f , deflate..HTTP_
41 43 43 45 50 54 5f 4c 41 4e 47 55 41 47 45 7a ACCEPT_LANGUAGEz
68 2d 43 4e 2c 7a 68 3b 71 3d 30 2e 38 00 00 00 h-CN,zh;q=0.8...
00 00 00 00 01 04 00 01 00 00 00 00 01 05 00 01 ................
00 00 00 00 ....
--
< 2022/03/01 18:55:41.674889 length=96 from=0 to=95
01 06 00 01 00 46 02 00 58 2d 50 6f 77 65 72 65 .....F..X-Powere
64 2d 42 79 3a 20 50 48 50 2f 37 2e 32 2e 33 34 d-By: PHP/7.2.34
0d 0a ..
43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 Content-type: te
78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
3d 55 54 46 2d 38 0d 0a =UTF-8..
0d 0a ..
31 31 00 00 01 03 00 01 00 08 00 00 00 00 00 00 11..............
00 37 35 37 .757
--
HTTP请求报头前半部分，与/usr/local/nginx/conf/fastcgi.conf一致。后半部分，通常HTTP报头。

[root@VM-0-17-centos 09:20:12 /usr/local/share]# cat /usr/local/nginx/conf/fastcgi.conf

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

Disable sniffing and restore socket

$ ./unixsniff stop /tmp/php-fpm.sock

PHP-FPM unix socket抓包

Dependencies

Use

相关阅读

相关文章

相关问答

相关文档