The difference and relation between Eval (CMD) and eval ($CMD)

Time:2022-5-11

This problem has been bothering me for a long time, and it has finally been solved today

Question 1: does Eval need double quotation marks for execution, including:

First look at three commands:


A:<?php eval(system(dir))?>
B:<?php
	$cmd="system(dir)"; 
	eval($cmd)?>

A result:

在这里插入图片描述

B result:

在这里插入图片描述

report errors

reflection:

It is also a command. Why is there such a difference? I asked other masters and learned that when Eval executes the value of a variable, the value of the variable needs to be closed, that is, it must be a complete statement and end with a semicolon. According to this Tao principle, let’s change the above command to see:


<?php
	$cmd="system(dir);"; 
	eval($cmd)?>

result:

在这里插入图片描述
Discovery is executable.

Later:

On this point, one more thing needs to be added:

When the built-in function is directly executed in Eval, there is no need to add a semicolon. Just look at the two commands:


eval(system(dir));
eval(system(dir););

在这里插入图片描述

Built in functions do not need semicolons. In fact, I think it is the same whether semicolons are added or not, because when semicolons are added, quotation marks also have the meaning of parsing

Understand the closure in command execution:

Look at the code:


eval(system(dir));
eval(system(dir););

Look at the results:

在这里插入图片描述

Here you can, and the following statements do not affect the parsing


<?php
	eval("system(dir);?>xyusaiqeqcyuqqwdnoqcq");
	?>

在这里插入图片描述

It doesn’t affect us here. Why?

If we simply close the eval command

Then our playload should be:

<?php 
	eval("system(dir));?>xyusaiqeqcyuqqwdnoqcq");
?>
I misunderstood the above code as:
<?php 
	eval("system(dir)");?>
	xyusaiqeqcyuqqwdnoqcq");
?>

Before, I mistakenly thought it was closed like this, but later I found that I was wrong. Until I found that it could not be closed like this in one question, I asked other masters and got the answer:

The eval () function can be understood as that we put the string in Eval (string) into a new PHP to run. This new PHP is already <? PHP, so when we pass in system (DIR);? > In dasdas,? > It’s time for the PHP code

Learned~