Round 1
<?php $content = '<?php exit; ?>'; $content .= $_POST['txt']; file_put_contents($_POST['filename'], $content);
$contentAt the beginning of the process of increasing the exit leading to success even if we write a word, can not be performed. Fortunately, here $_POST['filename']is control agreement, we can use php: // filter protocol to cast magic.
# Method, base64 encoding
Use php: // base64-decode stream filter method, the $contentdecoding function characteristic php base64_decode removed using "dead Exit."
As we all know, base64 encoding contains only 64 printable characters, and PHP when decoding base64, where the encounter is not in character, will skip these characters, only the legal character of a new string to decode.
So, when $contentwas added <?php exit; ?>later, we can use php: //filter/write=convert.base64-decode to first decode it. In the process of decoding, the characters <,,;?,>, Spaces, etc., a total of seven characters do not meet the range of characters base64 encoding will be ignored, so in the end is only "phpexit" and we pass the decoded characters other character.
"Phpexit" a total of seven characters, because when decoding base64 algorithm is a set of four byte, so give him increase an "a" a total of eight characters. In this way, "phpexita" is normally decoded, and base64 behind the content we pass webshell also normally decoded. The result is <?php exit; ?>no.
final effect:
# Two methods, using the method of operating a string
In addition to the method using base64 characteristics, we can also use php: // filter string manipulation methods to remove the "death of exit". We look at this <?php exit; ?>what actually?
It is actually an XML tag, since it is XML tags, we can use strip_tags function to remove it, and php: // filter exactly support this approach.
Write the following test code to see php: //filter/read=string.strip_tags/resource=php: // effect of input:
echo readfile('php://filter/read=string.strip_tags/resource=php://input');
Visible, <?php exit; ?>was removed. But back to the subject of the above, our ultimate goal is to write a webshell, and php code is written webshell, if strip_tags will also be removed.
Fortunately, php: // filter allows multiple filters, we can first use webshell base64 encoding. Be base64-decode again after the call is complete strip_tags. "Death exit" to be removed in the first step, but webshell is reduced in the second step.
final effect:
# Method three, ROT13 encoding
Similar principles above, the core is the "death exit" removed. <?php exit; ?>After a rot13 encoding will become <?cuc rkvg; ?>, when PHP is not open short_open_tag, php does not recognize this string, of course, will not be executed:
Round 2
<?php a = $_POST['txt']; file_put_contents($a,”<?php exit();”.$a);
This is the same before and after the two variables, assuming $ a controllable situation.
This way the same structure of variables and variable configuration different ways of thinking big difference is not bad, is the need to get rid of <?php exit();, but the structure is relatively more complex.
# Method, base64 encoding
########## tomorrow to continue more