26. How can the phar:// protocol be exploited? What is the difference between the php://input pseudo‑protocol and POST data delivery?
phar:// Exploitation
- Bypass certain WAFs and upload restrictions.
- Phar deserialisation: when the wrapper reads a
.phar file, it deserialises the stored metadata.
php://input vs POST
application/x-www-form-urlencoded or multipart/form-data: php://input contains raw data; $_POST is an associative array without upload content.
multipart/form-data: php://input is invalid.
Content-Type: text/plain: $_POST cannot retrieve data, but php://input can.