0x00:
Originally thought pte test is very simple, done previously Zhenti FML little difficult
0x01:
payload:echo ({${system("cat ../key.php")}});
Into the title page is a file that contains the instructions
Pictures to be completed **
This title examines not read pseudo-protocol file, nor is it to take the shell contains log files, etc.
A beginning step on the pit, and tried many times in this regard
Later, just think of it View view.html, view the source code, the code to get the back door
So take advantage of the point of this question is: execute a command containing this view.html
Now just unlock the back door code.
echo ({$ {System ( " CAT ../key.php ")}});
whole logic is this
preg_match herein with the \ e can be used to command execution, execution of the second parameter \ 1 ( \ 1 is our regular matches to the first number)
so here is a preg_match eval (\ 1)
so that this question has two eval
nested like this
eval (\ 1)
and \ 1 also needs to be analytical about eval is \ =. 1 the eval (echo ({$ {System ( " CAT ../key.php ")}}); )
so that the entire logic
step. 1: the eval (echo ({$ {System ( " CAT ../ key.php ")}});) At this time, a need to eval code execution. eval has finished consuming
Step 2: \ $ {System. 1 = {( " CAT ../key.php ")}}
Step 3: eval (\ 1) case need to code an eval perform
the fourth step as eval (\. 1) has been performed so finished on the left of {{$ System ( " CAT ../key.php ")}}
step five: so $ {{}} usefulness is manifested, this System ( " CAT ../key.php ") as a variable to execute, if not $ {{}} is independent the System ( " CAT ../key.php ") it would be parsed string
analysis: here relates to a dynamic variable php, $ {value} which will then output as the variable value resolution, the phpinfo e.g. $ {()} phpinfo page output will
then {{$ System ( " CAT ../key.php ")}} resolution process is {$ True} = {null} = "" empty
so the page on the normal output of the command we want to execute
https://xz.aliyun.com/t/2557
this blog said, well
excerpt below
Why do we say that the following matches to {$ {phpinfo ()}} or $ {phpinfo ()} , to perform phpinfo function, which is a small pit. This is actually a PHP variable variable causes. In the package of double quotes in PHP can resolve the variable, and is not single quotes. $ {phpinfo ()} in phpinfo () is executed as a first variable, after execution, i.e. become $ {}. 1 (phpinfo () returns successfully executed true). If you understand this, you will be able to understand the following questions:
var_dump (phpinfo ()); // Results: Boolean to true
var_dump (strtolower (the phpinfo ())); // Result: string '. 1'
var_dump (preg_replace ( '/(.*)/ IE', '. 1', '{$ {phpinfo ()} }')); // results: string '11'
var_dump (preg_replace ( '/(.*)/ ie' , 'strtolower ( "\\ 1")', '{$ {phpinfo ()}}')); // Result: the empty string '' var_dump (preg_replace ( '/(.*)/ie','strtolower("{${phpinfo()}}")','{${phpinfo()}}'));// results: empty string' ' where the 'strtolower ( "{$ {phpinfo ()}}")' corresponds to the execution strtolower ( "{$ {1} }") and corresponds strtolower ( "{null}") and corresponds to the 'empty string
You can test yourself at the local, dynamic variables only supports php5
<? Php preg_replace ( '/(.*)/ IE', 'strtolower ( "\\. 1")', '{$ {the phpinfo ()}}' ); ?>
Also follows this dynamic invocation php
<?php
${phpinfo()}
?>