我注意到这里有一个严重低估的评论:http://php.net/manual/en/function.php-check-syntax.php
function eval_syntax($code)
{
$braces = 0;
$inString = 0;
// We need to know if braces are correctly balanced.
// This is not trivial due to variable interpolation
// which occurs in heredoc, backticked and double quoted strings
foreach (token_get_all('<?php ' . $code) as $token)
{
if (is_array($token))
{
switch ($token[0])
{
case T_CURLY_OPEN:
case T_DOLLAR_OPEN_CURLY_BRACES:
case T_START_HEREDOC: ++$inString; break;
case T_END_HEREDOC: --$inString; break;
}
}
else if ($inString & 1)
{
switch ($token)
{
case '`':
case '"': --$inString; break;
}
}
else
{
switch ($token)
{
case '`':
case '"': ++$inString; break;
case '{': ++$braces; break;
case '}':
if ($inString) --$inString;
else
{
--$braces;
if ($braces < 0) return false;
}
break;
}
}
}
// If $braces is not zero, then we are sure that $code is broken.
// We run it anyway in order to catch the error message and line number.
// Else, if $braces are correctly balanced, then we can safely put
// $code in a dead code sandbox to prevent its execution.
// Note that without this sandbox, a function or class declaration inside
// $code could throw a "Cannot redeclare" fatal error.
echo "Braces: ".$braces."\r\n";
$braces || $code = "if(0){{$code}\n}";
if (false === eval($code)) {}
}
eval_syntax("file_put_contents('/home/yourname/Desktop/done.txt', 'OVERWRITTEN');");
我试图绕过代码恶意执行用户输入,但我无法做到。我想知道它为什么会被投票。
正如您所看到的那样,大括号不匹配,它不会添加'if(0){' . $code . '}并使用不匹配的大括号执行用户输入,这会引发异常并且不会真正运行。< / p>
如果大括号是匹配的,它会调用eval,但是它位于if {0}&#34;沙盒&#34;内。有人怎么能绕过这个?
我知道eval是不安全的,但我想知道这里的诀窍。如何绕过if (0)的安全性并检查上面的代码?
您可以直接尝试上面的php.net或我的缩小/编辑版本的代码。 Point证明此代码不安全且用户执行任意PHP代码