\u7528\u6237\u8f93\u5165\u672a\u8fc7\u6ee4\u6216\u51c0\u5316\uff08\u51c0\u5316\u5c31\u662f\u5bf9\u7279\u6b8a\u5b57\u7b26\u505a\u5904\u7406\u5982\u8f6c\u4e49\uff0c\u7136\u540e\u518d\u6267\u884c\u547d\u4ee4\uff09\n\u7a0b\u5e8f\u4e2d\u542b\u6709\u53ef\u6267\u884cphp\u4ee3\u7801\u7684\u51fd\u6570\u6216\u8005\u8bed\u8a00\u7ed3\u6784\n\u4f20\u5165\u70b9\u7684\u53c2\u6570\u7528\u6237\u7aef\u53ef\u63a7\uff0c\u53ef\u76f4\u63a5\u4fee\u6539\u6216\u8005\u5f71\u54cd<\/code><\/pre>\nPHP\u4e0b\u547d\u4ee4\u6267\u884c\u51fd\u6570<\/h4>\n\u4ee3\u7801\u6267\u884c\u51fd\u6570<\/h5>\neval()\nassert()<\/code><\/pre>\n\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684\u51fd\u6570<\/h5>\nsystem\uff1a\u6267\u884c\u4e00\u4e2a\u5916\u90e8\u7684\u5e94\u7528\u7a0b\u5e8f\u5e76\u663e\u793a\u8f93\u51fa\u7684\u7ed3\u679c\nexec\uff1a\u6267\u884c\u4e00\u4e2a\u5916\u90e8\u7684\u5e94\u7528\u7a0b\u5e8f\nshell_exec\uff1a\u6267\u884cshell\u547d\u4ee4\u5e76\u8fd4\u56de\u8f93\u51fa\u7684\u7ed3\u679c\u7684\u5b57\u7b26\u4e32\npassthru\uff1a\u6267\u884c\u4e00\u4e2aUNIX\u7cfb\u7edf\u547d\u4ee4\u5e76\u663e\u793a\u539f\u59cb\u7684\u8f93\u51fa\n``\uff1a\u4e0eshell_exec\u51fd\u6570\u7684\u529f\u80fd\u76f8\u540c\npopen\uff1a\u4e0eshell_exec\u51fd\u6570\u529f\u80fd\u7c7b\u4f3c\uff0cpopen(\u2018[\u7cfb\u7edf\u547d\u4ee4]\u2019, \u2018r\u2019)\uff0c\u2019r\u2019\u8868\u793a\u8fd4\u56destdout\u6587\u4ef6\u6307\u9488\uff0c\u2019w\u2019\u8868\u793a\u8fd4\u56destdin\u6587\u4ef6\u6307\u9488\nproc_popen\npcntl_exec\n$(xxx)\uff1a\u5728bash\u4e2d\u7528\u6765\u505a\u547d\u4ee4\u66ff\u6362\u7684\uff0c\u53ef\u4ee5\u5f53\u505ashell\u547d\u4ee4\u6267\u884c\uff0c\u4f46\u4e0d\u662f\u6240\u6709shell\u90fd\u652f\u6301<\/code><\/pre>\n<?php\n$handle = popen('\/path\/to\/executable 2>&1', 'r');\necho "'$handle'; " . gettype($handle) . "\\n";\n$read = fread($handle, 2096);\necho $read;\npclose($handle);\n?><\/code><\/pre>\n\u547d\u4ee4\u62fc\u63a5\u7b26<\/h4>\n
![\"image-20220320223518612\"](\"http:\/\/img.danielw.top\/image-20220320223518612.png\")
<\/p>\n
command1 && command2 \u5148\u6267\u2f8fcommand1\uff0c\u6210\u529f\u540e\u5728\u6267\u2f8fcommand2,\u5982\u679c\u5931\u8d25\u5219\u4e0d\u6267\u2f8fcommand2\ncommand1 & command2 \u5148\u6267\u2f8fcommand1\uff0c\u2f46\u8bba\u6210\u529f\u4e0e\u5426\u90fd\u6267\u2f8fcommand2\ncommand1 | command2 \u7ba1\u9053\uff0c\u76f4\u63a5\u5c06command1\u7684\u8f93\u51fa\u4f5c\u4e3acommand2\u7684\u6807\u51c6\u8f93\u2f0a\uff0c\u53ea\u6253\u5370command2\u7684\u6807\u51c6\n\u8f93\u51fa\ncommand1 || command2 \u6216\u8005\uff0c command1\u6267\u2f8f\u5931\u8d25\u540e\u6267\u2f8fcommand2,\u5982\u679c\u6267\u2f8f\u6210\u529f\u5219\u4e0d\u6267\u2f8fcommand2\ncommand1 ; command2 \u524d\u540e\u4e4b\u95f4\u6ca1\u6709\u5173\u7cfb\uff0c\u6240\u6709\u547d\u4ee4\u2f46\u8bba\u5931\u8d25\u90fd\u4f1a\u6267\u2f8f\uff0c\u4ece\u5de6\u5f80\u53f3\u4f9d\u6b21\u6267\u2f8f<\/code><\/pre>\nPHP\u51fd\u6570<\/h4>\neval()<\/h5>\n
eval()\u51fd\u6570\u4f1a\u628a\u5b57\u7b26\u4e32\u6309\u7167PHP\u4ee3\u7801\u6765\u8ba1\u7b97\uff0c\u8be5\u5b57\u7b26\u4e32\u5fc5\u987b\u662f\u5408\u6cd5\u7684PHP\u4ee3\u7801\uff0c\u4e14\u5fc5\u987b\u4ee5\u5206\u53f7\u7ed3\u5c3e<\/p>\n
<?php\n eval("echo hello;");\n?> <\/code><\/pre>\nassert()<\/h5>\n
assert()\u51fd\u6570\u4f1a\u5c06\u5b57\u7b26\u4e32\u5f53PHP\u4ee3\u7801\u6765\u8ba1\u7b97\uff0c\u4e0d\u7528\u662f\u4e25\u683c\u7684PHP\u4ee3\u7801\uff0c\u4e14\u652f\u6301\u52a8\u6001\u5d4c\u5957<\/p>\n
$a = "ass";\n$b = "ert";\n$c=$a.$b;\n$c(phpinfo(););\n\n<?php\nif(isset($_GET['code'])){\n$code=$_GET['code'];\nassert($code);\n}else{\necho "please submit code!<br \/>?code=phpinfo()";\n}\n?><\/code><\/pre>\ncall_user_func ()<\/h5>\n
call_user_func()\u7b49\u51fd\u6570\u90fd\u6709\u8c03\u2f64\u5176\u4ed6\u51fd\u6570\u7684\u529f\u80fd,\u5176\u4e2d\u7684\u2f00\u4e2a\u53c2\u6570\u4f5c\u4e3a\u8981\u8c03\u2f64\u7684\u51fd\u6570\u540d \uff0c\u8be5\u51fd\u6570\u6709\u4e24\u4e2a\u53c2\u6570,\u7b2c\u2f00\u4e2a\u53c2\u6570\u4f5c\u4e3a\u56de\u8c03\u51fd\u6570,\u540e\u2faf\u7684\u53c2\u6570\u4f5c\u4e3a\u56de\u8c03\u51fd\u6570\u7684\u53c2\u6570 <\/p>\n
<?php\nif(isset($_GET['fun'])){\n$fun=$_GET['fun'];\n$para=$_GET['para'];\ncall_user_func($fun,$para); call_user_func(assert,phpinfo(););\n}else{\necho "?fun=assert¶=phpinfo()";\n}\n?><\/code><\/pre>\n\u52a8\u6001\u51fd\u6570 a(b)<\/h5>\n
\u7531\u4e8ephp\u7684\u7279\u6027\u539f\u56e0,php\u7684\u51fd\u6570\u2f40\u6301\u76f4\u63a5\u6709\u62fc\u63a5\u7684\u2f45\u5f0f\u8c03\u2f64,\u8fd9\u76f4\u63a5\u5bfc\u81f4\u4e86php\u5728\u5b89\u5168\u4e0a\u7684\u63a7\u5236\u2f1c\u52a0\u2f24\u4e86\u96be\u5ea6.\u4e0d\u5c11\u77e5\u540d\u7a0b\u5e8f\u4e2d\u4e5f\u2f64\u5230\u4e86\u52a8\u6001\u51fd\u6570\u7684\u5199\u6cd5,\u8fd9\u79cd\u5199\u6cd5\u8ddf\u4f7f\u2f64call_user_func()\u7684\u521d\u8877\u2f00\u6837,\u2f64\u6765\u2f45\u4fbf\u5730\u8c03\u2f64\u51fd\u6570,\u4f46\u662f\u2f00\u65e6\u8fc7\u6ee4\u4e0d\u4e25\u683c\u5c31\u4f1a\u9020\u6210\u4ee3\u7801\u6267\u2f8f\u6f0f\u6d1e <\/p>\n
<?php\nif(isset($_GET['a'])){\n$a=$_GET['a'];\n$b=$_GET['b'];\n$a($b); \/\/ assert(phpinfo();)\n}else{\necho "\n?a=assert&b=phpinfo()\n";\n}\n?><\/code><\/pre>\npreg_replace ()<\/h5>\n
\u5176\u4f5c\u7528\u662f\u5bf9\u5b57\u7b26\u4e32\u8fdb\u884c\u6b63\u5219\u5904\u7406<\/p>\n
preg_replace(mixed $pattern,mixed $replacement, mixed $subject [,int limit = -1[,int &$count]])\n\/*\n $pattern: \u8981\u641c\u7d22\u7684\u6a21\u5f0f\uff0c\u53ef\u4ee5\u662f\u5b57\u7b26\u4e32\u6216\u4e00\u4e2a\u5b57\u7b26\u4e32\u6570\u7ec4\n $replacement: \u7528\u4e8e\u66ff\u6362\u7684\u5b57\u7b26\u4e32\u6216\u5b57\u7b26\u4e32\u6570\u7ec4\u3002\n $subject: \u8981\u641c\u7d22\u66ff\u6362\u7684\u76ee\u6807\u5b57\u7b26\u4e32\u6216\u5b57\u7b26\u4e32\u6570\u7ec4\u3002\n $limit: \u53ef\u9009\uff0c\u5bf9\u4e8e\u6bcf\u4e2a\u6a21\u5f0f\u7528\u4e8e\u6bcf\u4e2a subject \u5b57\u7b26\u4e32\u7684\u6700\u5927\u53ef\u66ff\u6362\u6b21\u6570\u3002 \u9ed8\u8ba4\u662f-1\uff08\u65e0\u9650\u5236\uff09\u3002\n $count: \u53ef\u9009\uff0c\u4e3a\u66ff\u6362\u6267\u884c\u7684\u6b21\u6570\u3002\n*\/\n\/\/\u5178\u578b\u4ee3\u7801\u5982\u4e0b:\n<?php\nif(isset($_GET['code'])){\n $code=$_GET['code'];\npreg_replace("\/\\((.*)\\)\/e", '\\\\1', $code); \/\/ \\\\1 \u6807\u8bc6\u7b2c\u2f00\u6b21\u5339\u914d\u7684\u5185\u5bb9 [.*]\n}else{\necho "?code=[phpinfo()]";\n}\n?>\n\n\/(.*)\/e\n(phpinfo();)\n(phpinfo();\n?code=()\n\/\/ \u63d0\u4ea4?code=(phpinfo();, phpinfo\u4f1a\u88ab\u6267\u2f8f\n(phpinfo();)<\/code><\/pre>\n\n\u672a\u5b8c\u5f85\u7eed<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
\u7b80\u4ecb \u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u6307web\u5e94\u7528\u63a5\u6536\u7528\u6237\u8f93\u5165\uff0c\u62fc\u63a5\u5230\u8981\u6267\u884c\u7684\u7cfb\u7edf\u547d\u4ee4\u4e2d\u6267\u884c\u3002\u5176\u4ea7\u751f\u539f\u56e0\u4e3a \u7528\u6237\u8f93\u5165\u672a\u8fc7\u6ee4\u6216\u51c0\u5316\uff08\u51c0\u5316\u5c31\u662f\u5bf9\u7279\u6b8a\u5b57\u7b26\u505a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=244"}],"version-history":[{"count":1,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":245,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions\/245"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}