命令执行
对用户输入没有进行筛选区分:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '
'.$cmd.'
';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '
'.$cmd.'
';
}
}
?>
<?php
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip' ];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '
'.$cmd.'
';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '
'.$cmd.'
';
}
}
?>
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST["ip"];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode(".", $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '
'.$cmd.'
';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '
'.$cmd.'
';
}
}
else {
echo '
ERROR: You have entered an invalid IP
';
}
}
?>
上述代码既保证你输入的肯定是数字,也保证你肯定是xxx.xxx.xxx.xxx格式的
留言与评论(共有 0 条评论) “” |