Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to achieve Webshell free from killing". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "how to achieve Webshell free from killing"!

In a word, Trojan horse

The most commonly used in penetration testing is the combination of a back door (pony) and a Chinese kitchen knife. If there is some kind of WAF protection, look for a kill-free horse.

The most common php word Trojan horse

This one-sentence Trojan consists of two parts, and eval is used to execute the received code. $_ POST ['x'] to receive the value.

In line with this principle, try to rewrite the sentence Trojan horse around WAF.

Collected several commonly used php functions

Eval, assert, preg_replace that executes code

Receive $_ POST, $_ GET, $_ REQUEST of data

Php one sentence kill-free str_rot13 function

The str_rot13 function is used instead of assert. This function performs ROT13 encoding on the string. ROT13 coding is to move each letter 13 bits in the alphabet.

The test found that the safety dog could not be bypassed. Modify it.

You can bypass the safety dog.

Modify again, add the explode function to split the string, class wrapper class. Can bypass the D shield.

Array_map function

The array_map () function applies the function to each value in the array and returns a new array.

You can bypass the safety dog.

Array_key function

The array_key () function also returns a new array that contains the array.

The indexed array changes to an associative array.

You can bypass the safety dog and D shield.

Preg_replace function

A function used for regular matching.

/ e is used as php code parsing. Version 5.6 is practical below.

Tests can bypass safety dogs and D shields.

Preg_filter function

It is changed to a preg_filter function according to preg_replace, which is also used to perform regular matching substitution.

You can also bypass D shields and safety dogs.

Other

You can also bypass D shields and safety dogs.

Php is free from killing Malaysia.

I happen to have a php horse in my hand. But not without killing. Try to change the source code base64 encryption to php kill-free Malaysia.

Change the Malaysia eval function to exit or echo. Burp crawls the source code.

Copy the source code and the audit finds that there is a back door to the source code.

Base64 decode it.

Oh! You can do that.

Change the base64 address to your own vps address. Hee hee.

Now as long as the eval function can execute the string that passes base64.

WAF is very strict with base64_encode and base64_decode.

Continue to search, modify, write, and finally succeed.

Put the php Malaysia source code directly at code. That's it.

Php can also be modified to avoid killing a word Trojan horse.

Like this one.

Give me an interview.

Check to see if vps is receiving it.

At this point, I believe that everyone has a deeper understanding of "how to achieve Webshell free from killing", might as well come to the actual operation! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.