🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
# 代码注入 eval() ``` <pre class="calibre10">``` $get<span class="token1">=</span><span class="token2">"phpinfo()"</span><span class="token3">;</span> <span class="token4">eval</span><span class="token3">(</span><span class="token2">"\$test=$get;"</span><span class="token3">)</span><span class="token3">;</span> ``` ``` assert() ``` <pre class="calibre10">``` $get<span class="token1">=</span><span class="token2">"phpinfo()"</span><span class="token3">;</span> <span class="token4">assert</span><span class="token3">(</span><span class="token2">"\$test=$get;"</span><span class="token3">)</span><span class="token3">;</span> ``` ``` 具体 ``` <pre class="calibre10">``` 浏览器<span class="token3">:</span>php<span class="token1">?</span>p<span class="token1">=</span><span class="token4">phpinfo</span><span class="token3">(</span><span class="token3">)</span> php脚本<span class="token3">:</span> <span class="token5">if</span><span class="token3">(</span><span class="token4">isset</span><span class="token3">(</span>$_GET<span class="token3">[</span><span class="token2">'p'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">)</span><span class="token3">{</span> $p<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'p'</span><span class="token3">]</span><span class="token3">;</span> <span class="token3">}</span> <span class="token4">eval</span><span class="token3">(</span><span class="token2">"\$p=$p;"</span><span class="token3">)</span><span class="token3">;</span> ``` ``` preg\_replace() 当 pattern 中存在/e 模式修饰符,即允许执行代码。 好在新版本php已经不支持被preg\_replace\_callback替代 ``` <pre class="calibre17">``` <span class="token">//pattern 在一个参数</span> <span class="token1"><</span><span class="token1">?</span>php 浏览器传入一个php结束标志 <span class="token">// php?reg=<\/php>/e</span> echo $regexp <span class="token1">=</span> $_GET<span class="token3">[</span><span class="token2">'reg'</span><span class="token3">]</span><span class="token3">;</span> $var <span class="token1">=</span> <span class="token2">'<php>phpinfo()</php>'</span><span class="token3">;</span> <span class="token4">preg_replace</span><span class="token3">(</span><span class="token2">"/<php>(.*?)$regexp"</span><span class="token3">,</span> <span class="token2">'\\1'</span><span class="token3">,</span> $var<span class="token3">)</span><span class="token3">;</span> <span class="token1">?</span><span class="token1">></span> <span class="token">//replacement 第二个参数</span> <span class="token1"><</span><span class="token1">?</span>php <span class="token">// php?p=phpinfo()</span> <span class="token4">preg_replace</span><span class="token3">(</span><span class="token2">"/moon/e"</span><span class="token3">,</span>$_GET<span class="token3">[</span><span class="token2">'p'</span><span class="token3">]</span><span class="token3">,</span><span class="token2">"I love moon"</span><span class="token3">)</span><span class="token3">;</span> <span class="token1">?</span><span class="token1">></span> <span class="token">//preg_replace()第三个参数注射</span> <span class="token1"><</span><span class="token1">?</span>php <span class="token">// php?p=[php]phpinfo()[/php]</span> <span class="token4">preg_replace</span><span class="token3">(</span><span class="token2">"/\s*\[php\](.+?)\[\/php\]\s*/ies"</span><span class="token3">,</span> <span class="token2">"\\1"</span><span class="token3">,</span> $_GET<span class="token3">[</span><span class="token2">'p'</span><span class="token3">]</span><span class="token3">)</span><span class="token3">;</span> <span class="token1">?</span><span class="token1">></span> ``` ```