注意你可以使用的命令只能是php这个用户组的权限和范围
//$output = `ls -al`; //$output = `netstat -tnlp`; $output = `id www`; echo "<pre>$output</pre>";
网页返回的结果
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1471/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 :::3306 :::* LISTEN - tcp 0 0 :::22 :::* LISTEN - tcp 0 0 ::1:25 :::* LISTEN -
linux root权限
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1470/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1229/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1452/master tcp 0 0 :::3306 :::* LISTEN 1348/mysqld tcp 0 0 :::22 :::* LISTEN 1229/sshd tcp 0 0 ::1:25 :::* LISTEN 1452/master
可以明显看出
注意不是英文的单引号,是反引号(``)
这个可以作为注入的代码
这个叫做 执行运算符
http://php.net/manual/zh/language.operators.execution.php