DVWA--Command Injection(命令执行)--四个等级

最新推荐文章于 2022-02-27 12:39:12 发布

小白渣

最新推荐文章于 2022-02-27 12:39:12 发布

阅读量237

点赞数

分类专栏： DVWA 命令执行

原文链接：https://blog.csdn.net/qq_41617034/article/details/90221943

版权

命令执行同时被 2 个专栏收录

5 篇文章 1 订阅

订阅专栏

DVWA

2 篇文章 0 订阅

订阅专栏

呜呜呜写的太好了叭！！！！神仙

就是很奇怪的是现在csdn转载时源码会出现顺序打乱的情况和莫名看不到的情况emm，不知道怎么解决

索引目录：

Impossible

命令执行漏洞的原理： ：在操作系统中， & 、&& 、| 、 || 都可以作为命令连接符使用，用户通过浏览器提交执行命令，由于服务器端没有对执行函数进行过滤，从而造成可以执行危险命令

PHP的命令执行函数主要有： ：system、exec、passthru、shell_exec与’ '(这个并不是函数，只是代表他可以执行命令)

常用url编码 ：
%20 = 空格
%5c = \
%26 = &
%7c = |

command1 & command2 ：不管command1执行成功与否，都会执行command2（将上一个命令的输出作为下一个命令的输入）
command1 && command2 ：先执行command1执行成功后才会执行command2
command1 | command2 ：只执行command2
command1 || command2 ：command1执行失败，再执行command2(若command1执行成功，就不再执行command2)

Low

源代码：

<?php

if( isset( $KaTeX parse error: Expected '}', got 'EOF' at end of input: \dotsoken variable">$ target = $_REQUEST[ ‘ip’ ];

<span class="token comment">// Determine OS and execute the ping command. </span>
<span class="token keyword">if</span><span class="token punctuation">(</span> <span class="token function">stristr</span><span class="token punctuation">(</span> <span class="token function">php_uname</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'s'</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token single-quoted-string string">'Windows NT'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> 
    <span class="token comment">// Windows </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 
<span class="token keyword">else</span> <span class="token punctuation">{</span> 
    <span class="token comment">// *nix </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  -n 4 '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span> 

<span class="token comment">// Feedback for the end user </span>
<span class="token keyword">echo</span> <span class="token double-quoted-string string">"&lt;pre&gt;<span class="token interpolation"><span class="token punctuation">{</span><span class="token variable">$cmd</span><span class="token punctuation">}</span></span>&lt;/pre&gt;"</span><span class="token punctuation">;</span>

}

stristr(string,search,before_search) ：搜索字符串在另一字符串中的第一次出现，返回字符串的剩余部分（从匹配点），如果未找到所搜索的字符串，则返回 FALSE

string 必需。规定被搜索的字符串

search 必需。规定要搜索的字符串
如果该参数是数字，则搜索匹配该数字对应的 ASCII 值的字符

before_search 可选。默认值为 “false” 的布尔值
如果设置为 “true”，它将返回 search 参数第一次出现之前的字符串部分

注释：该函数是二进制安全的
注释：该函数是不区分大小写的，如需进行区分大小写的搜索，请使用 strstr() 函数
举例：

<?php
echo stristr("Hello world!","WORLD");
?>
/*结果
world!
*/

 
 
 
 1
2
3
4
5
6

php_uname ($mode) ：返回运行 PHP 的系统的有关信息，也就是返回运行 PHP 的操作系统的描述
$mode 是单个字符，用于定义要返回什么信息：
‘a’：此为默认。包含序列 “s n r v m” 里的所有模式
‘s’：操作系统名称。例如： FreeBSD
‘n’：主机名。例如：DESKTOP-XXXXXXX
‘r’：版本名称，例如： 5.1.2-RELEASE
‘v’：版本信息。操作系统之间有很大的不同
‘m’：机器类型。例如：i386

shell_exec() ：通过 shell 环境执行命令，并且将完整的输出以字符串的方式返回。也就是说, PHP先运行一个shell环境, 然后让shell进程运行你的命令, 并且把所有输出已字符串形式返回, 如果程序执行有错误或者程序没有任何输出, 则返回null
在这里插入图片描述

Low级别的代码对提交的参数没有进行过滤，仅仅使用使用stristr与php_uname判断操作系统是否是Windows NT，因此我们可以使用命令连接符来实现命令执行

渗透测试：
在这里插入图片描述
command1 && command2 ：先执行command1后执行command2

command1 & command2 ：先执行command2后执行command1

command1 | command2 ：只执行command2

command1 || command2 ：command1执行失败，再执行command2(若command1执行成功，就不再执行command2)
在这里插入图片描述

Medium

源代码：

<?php

if( isset( $KaTeX parse error: Expected '}', got 'EOF' at end of input: \dotsoken variable">$ target = $_REQUEST[ ‘ip’ ];

<span class="token comment">// Set blacklist </span>
<span class="token variable">$substitutions</span> <span class="token operator">=</span> <span class="token keyword">array</span><span class="token punctuation">(</span> 
    <span class="token single-quoted-string string">'&amp;&amp;'</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">';'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
<span class="token punctuation">)</span><span class="token punctuation">;</span> 

<span class="token comment">// Remove any of the charactars in the array (blacklist). </span>
<span class="token variable">$target</span> <span class="token operator">=</span> <span class="token function">str_replace</span><span class="token punctuation">(</span> <span class="token function">array_keys</span><span class="token punctuation">(</span> <span class="token variable">$substitutions</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token variable">$substitutions</span><span class="token punctuation">,</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">// Determine OS and execute the ping command. </span>
<span class="token keyword">if</span><span class="token punctuation">(</span> <span class="token function">stristr</span><span class="token punctuation">(</span> <span class="token function">php_uname</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'s'</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token single-quoted-string string">'Windows NT'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> 
    <span class="token comment">// Windows </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 
<span class="token keyword">else</span> <span class="token punctuation">{</span> 
    <span class="token comment">// *nix </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  -n 4 '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 

<span class="token comment">// Feedback for the end user </span>
<span class="token keyword">echo</span> <span class="token double-quoted-string string">"&lt;pre&gt;<span class="token interpolation"><span class="token punctuation">{</span><span class="token variable">$cmd</span><span class="token punctuation">}</span></span>&lt;/pre&gt;"</span><span class="token punctuation">;</span>

}

array() ：用于创建数组
在 PHP 中，有三种类型的数组：
索引数组 - 带有数字索引的数组
关联数组 - 带有指定的键的数组
多维数组 - 包含一个或多个数组的数组
说明：
array() 创建数组，带有键和值。如果在规定数组时省略了键，则生成一个整数键，这个 key 从 0 开始，然后以 1 进行递增

要用 array() 创建一个关联数组，可使用 => 来分隔键和值

要创建一个空数组，则不传递参数给 array()：
$new = array();
关联数组举例：

<?php
$age=array("Bill"=>"1","Steve"=>"2","Mark"=>"3");
echo "Bill is " . $age['Bill'] . " years old.";
?>
/*结果：
Bill is 1 years old.
*/

 
 
 
 1
2
3
4
5
6
7

str_replace(find,replace,string,count) ：以其他字符替换字符串中的一些字符（区分大小写）
find 必需。规定要查找的值
replace 必需。规定替换 find 中的值的值
string 必需。规定被搜索的字符串
count 可选。对替换数进行计数的变量

该函数必须遵循下列规则：
如果搜索的字符串是数组，那么它将返回数组
如果搜索的字符串是数组，那么它将对数组中的每个元素进行查找和替换
如果同时需要对数组进行查找和替换，并且需要执行替换的元素少于查找到的元素的数量，那么多余元素将用空字符串进行替换
如果查找的是数组，而替换的是字符串，那么替代字符串将对所有查找到的值起作用
注释：该函数区分大小写。请使用 str_ireplace() 函数执行不区分大小写的搜索
注释：该函数是二进制安全的
举例：

<?php
echo str_replace("world","Shanghai","Hello world!");
?>
/*结果：
Hello Shanghai!
*/

 
 
 
 1
2
3
4
5
6

array_keys(array,value,strict) ：返回包含数组中所有键名的一个新数组
array 必需。规定数组
value 可选。您可以指定键值，然后只有该键值对应的键名会被返回

strict 可选。与 value 参数一起使用。可能的值：
true - 返回带有指定键值的键名。依赖类型，数字 5 与字符串 “5” 是不同的
false - 默认值。不依赖类型，数字 5 与字符串 “5” 是相同的

如果提供了第二个参数，则只返回键值为该值的键名
如果 strict 参数指定为 true，则 PHP 会使用全等比较 (===) 来严格检查键值的数据类型
举例：

<?php
$a=array("x"=>"A","y"=>"B","z"=>"C");
print_r(array_keys($a));
?>
/*结果：
Array ( [0] => x [1] => y [2] => z ) 
*/

 
 
 
 1
2
3
4
5
6
7

过滤核心代码理解：

array_keys( $substitutions )为Array ( [0] => && [1] => ; ) ,也就是arry(&& , ;)
$substitutions为 $substitutions = array( '&&' => '', ';'  => '', )，&&和;是键，''为键值，转换一下也就是array( [0] => '', [1]  => '', )，再转化一下就是arry('','')
假设$target=127.0.0.1 && ipconfig

解释1： $KaTeX parse error: Expected 'EOF', got '&' at position 250: \dotsoken operator">&̲amp;&</span\dots$ target中的&&和;替换为’’

解释2：$target = str_replace( arry(&& , ;), arry(’’,’’), “127.0.0.1 && ipconfig” );搜索"127.0.0.1 && ipconfig"中的&&和;
替换成’’

注：这里的解释1和解释2只是为了帮助理解

因此，从Medium的源代码可以看出，它在Low代码层面上增加了对上传参数的过滤，将上传参数的&&和;转化为空，但是它仅仅只能过滤&&和;，我们可以使用&继续进行命令执行

渗透测试：
在这里插入图片描述

High

源代码：

<?php

if( isset( $KaTeX parse error: Expected '}', got 'EOF' at end of input: \dotsoken variable">$ target = trim($_REQUEST[ ‘ip’ ]);

<span class="token comment">// Set blacklist </span>
<span class="token variable">$substitutions</span> <span class="token operator">=</span> <span class="token keyword">array</span><span class="token punctuation">(</span> 
    <span class="token single-quoted-string string">'&amp;'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">';'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'| '</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'-'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'$'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'('</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">')'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'`'</span>  <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
    <span class="token single-quoted-string string">'||'</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token single-quoted-string string">''</span><span class="token punctuation">,</span> 
<span class="token punctuation">)</span><span class="token punctuation">;</span> 

<span class="token comment">// Remove any of the charactars in the array (blacklist). </span>
<span class="token variable">$target</span> <span class="token operator">=</span> <span class="token function">str_replace</span><span class="token punctuation">(</span> <span class="token function">array_keys</span><span class="token punctuation">(</span> <span class="token variable">$substitutions</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token variable">$substitutions</span><span class="token punctuation">,</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">// Determine OS and execute the ping command. </span>
<span class="token keyword">if</span><span class="token punctuation">(</span> <span class="token function">stristr</span><span class="token punctuation">(</span> <span class="token function">php_uname</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'s'</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token single-quoted-string string">'Windows NT'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> 
    <span class="token comment">// Windows </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 
<span class="token keyword">else</span> <span class="token punctuation">{</span> 
    <span class="token comment">// *nix </span>
    <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  -n 4 '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 

<span class="token comment">// Feedback for the end user </span>
<span class="token keyword">echo</span> <span class="token double-quoted-string string">"&lt;pre&gt;<span class="token interpolation"><span class="token punctuation">{</span><span class="token variable">$cmd</span><span class="token punctuation">}</span></span>&lt;/pre&gt;"</span><span class="token punctuation">;</span>

}

High的代码也就是在Medium的代码上面进行了一次升级，增加了过滤的黑名单，但是，我们仔细看源代码会发现，本来可以过滤一个|，就可以过滤所有|、||、|||等等，可是你仔细观察一下，会发现过滤的|后面有一个空格，也就表示，它过滤的是|空格，并没有过滤|，所以我们可以利用|进行绕过

渗透测试：

绕过方法一：
在这里插入图片描述
看了上面一幅图，大家也许就会有疑惑了，明明源代码里有过滤||，为什么还能执行呢？
我们仔细看一下它的黑名单：

从上面可以看出，它确实有过滤||，但是，你注意到了顺序吗！！它是由上到下依次查找转义，它首先转义|空格
所以127.0.0.1 || ipconfig经过过滤后就是127.0.0.1 |ipconfig，这里的|是原命令语句(127.0.0.1 || ipconfig)左边的，因此，最后的执行命令便成了127.0.0.1 |ipconfig

如果我们把黑名单过滤的顺序修改一下会怎样呢？如下图：
在这里插入图片描述
执行结果：

此时我们会发现无法执行，因为它首先过滤了||

绕过方法二：
在这里插入图片描述

Impossible

源代码：

<?php

if( isset( $KaTeX parse error: Expected '}', got 'EOF' at end of input: \dotsoken variable">$ _REQUEST[ ‘user_token’ ], $_SESSION[ ‘session_token’ ], ‘index.php’ );

<span class="token comment">// Get input </span>
<span class="token variable">$target</span> <span class="token operator">=</span> <span class="token variable">$_REQUEST</span><span class="token punctuation">[</span> <span class="token single-quoted-string string">'ip'</span> <span class="token punctuation">]</span><span class="token punctuation">;</span> 
<span class="token variable">$target</span> <span class="token operator">=</span> <span class="token function">stripslashes</span><span class="token punctuation">(</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 

<span class="token comment">// Split the IP into 4 octects </span>
<span class="token variable">$octet</span> <span class="token operator">=</span> <span class="token function">explode</span><span class="token punctuation">(</span> <span class="token double-quoted-string string">"."</span><span class="token punctuation">,</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 

<span class="token comment">// Check IF each octet is an integer </span>
<span class="token keyword">if</span><span class="token punctuation">(</span> <span class="token punctuation">(</span> <span class="token function">is_numeric</span><span class="token punctuation">(</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span> <span class="token function">is_numeric</span><span class="token punctuation">(</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span> <span class="token function">is_numeric</span><span class="token punctuation">(</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span> <span class="token function">is_numeric</span><span class="token punctuation">(</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">3</span><span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span> <span class="token function">sizeof</span><span class="token punctuation">(</span> <span class="token variable">$octet</span> <span class="token punctuation">)</span> <span class="token operator">==</span> <span class="token number">4</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> 
    <span class="token comment">// If all 4 octets are int's put the IP back together. </span>
    <span class="token variable">$target</span> <span class="token operator">=</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span> <span class="token punctuation">.</span> <span class="token single-quoted-string string">'.'</span> <span class="token punctuation">.</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span> <span class="token punctuation">.</span> <span class="token single-quoted-string string">'.'</span> <span class="token punctuation">.</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span> <span class="token punctuation">.</span> <span class="token single-quoted-string string">'.'</span> <span class="token punctuation">.</span> <span class="token variable">$octet</span><span class="token punctuation">[</span><span class="token number">3</span><span class="token punctuation">]</span><span class="token punctuation">;</span> 

    <span class="token comment">// Determine OS and execute the ping command. </span>
    <span class="token keyword">if</span><span class="token punctuation">(</span> <span class="token function">stristr</span><span class="token punctuation">(</span> <span class="token function">php_uname</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'s'</span> <span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token single-quoted-string string">'Windows NT'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> 
        <span class="token comment">// Windows </span>
        <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
    <span class="token punctuation">}</span> 
    <span class="token keyword">else</span> <span class="token punctuation">{</span> 
        <span class="token comment">// *nix </span>
        <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span><span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping  -n 4 '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span><span class="token punctuation">;</span> 
    <span class="token punctuation">}</span> 

    <span class="token comment">// Feedback for the end user </span>
    <span class="token keyword">echo</span> <span class="token double-quoted-string string">"&lt;pre&gt;<span class="token interpolation"><span class="token punctuation">{</span><span class="token variable">$cmd</span><span class="token punctuation">}</span></span>&lt;/pre&gt;"</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span> 
<span class="token keyword">else</span> <span class="token punctuation">{</span> 
    <span class="token comment">// Ops. Let the user name theres a mistake </span>
    <span class="token keyword">echo</span> <span class="token single-quoted-string string">'&lt;pre&gt;ERROR: You have entered an invalid IP.&lt;/pre&gt;'</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span>

}

// Generate Anti-CSRF token
generateSessionToken();

explode(separator,string,limit) ：把字符串打散为数组

参数	描述
separator	必需。规定在哪里分割字符串
string	必需。要分割的字符串
limit	可选。规定所返回的数组元素的数目。可能的值：(1)大于 0 - 返回包含最多 limit 个元素的数组；(2)小于 0 - 返回包含除了最后的 -limit 个元素以外的所有元素的数组；(3)0 - 返回包含一个元素的数组

举例：

<?php
$str = "Hello world. I love Shanghai!";
print_r (explode(" ",$str));
?>  
/*结果
Array ( [0] => Hello [1] => world. [2] => I [3] => love [4] => Shanghai! )
*/

 
 
 
 1
2
3
4
5
6
7

is_numeric（$var） ：用于检测变量是否为数字或数字字符串
$var要检测的变量
如果指定的变量是数字和数字字符串则返回TRUE，否则返回FALSE

sizeof(array,mode) ：计算数组中的单元数目或对象中的属性个数
array 必需。规定数组
mode 可选。规定模式。可能的值：
0 - 默认。不计数多维数组中的所有元素
1 - 递归地计数数组中元素的数目（计算多维数组中的所有元素）

当变量未被设置，或是变量包含一个空的数组，该函数会返回 0。可使用 isset() 变量来测试变量是否被设置
举例：

<?php
$cars=array("Volvo","BMW","Toyota");
echo sizeof($cars);
?>
/*结果
3
*/

 
 
 
 1
2
3
4
5
6
7

Impossible级别的代码加入了Anti-CSRF token，并对提交的参数进行严格的过滤，不仅过滤了反斜杠；也使用is_numeric检测变量是否为数字字符串或数字，使得非数字字符串或数字的全部“封杀”，从而达到阻止危险的命令执行

注：这所有源代码中的的ping -c 4 ip现在已经不适用了，现在windows的版本应该是ping - n 4 ip了，我都已经在源代码中修改了

                                </div>
            <link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-b6c3c6d139.css" rel="stylesheet">
                </div>

小白渣

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
DVWA--Command Injection(命令执行)--四个等级

呜呜呜写的太好了叭！！！！神仙索引目录： Low Medium High Impossible 命令执行漏洞的原理：：在操作系统中， & 、&& 、| 、 || 都可以作为命令连接符使用，用户通过浏览器提交执行命令，由于服务器端没有对执行函数进行过滤，从而造成可以执行危险命令 PHP的命令执行函数主要有：：system、...
复制链接

扫一扫