²Ëµ¶Á÷Á¿ÌØÕ÷

×î×îÏÈÊÇÃ÷ÎÄ´«Êä
£¬Øʺó½ÓÄÉbase64¼ÓÃÜ£º

PHPÀàWebShellÁ´½ÓÁ÷Á¿

ÈçÏ£º

µÚÒ»£º¡°eval¡±
£¬evalº¯ÊýÓÃÓÚÖ´ÐÐת´ïµÄ¹¥»÷payload
£¬ÕâÊDZز»¿ÉÉٵģ»

µÚ¶þ£º(base64_decode($_POST[z0]))
£¬(base64_decode($_POST[z0]))½«¹¥»÷payload¾ÙÐÐBase64½âÂë
£¬ÓÉÓڲ˵¶Ä¬ÈÏÊÇʹÓÃBase64±àÂë
£¬ÒÔ×èÖ¹±»¼ì²â£»

µÚÈý£º&z0=QGluaV9zZXQ...
£¬¸Ã²¿·ÖÊÇת´ï¹¥»÷payload
£¬´Ë²ÎÊýz0¶ÔÓ¦$_POST[z0]ÎüÊÕµ½µÄÊý¾Ý
£¬¸Ã²ÎÊýÖµÊÇʹÓÃBase64±àÂëµÄ
£¬ÒÔÊÇ¿ÉÒÔʹÓÃbase64½âÂë¿ÉÒÔ¿´µ½¹¥»÷Ã÷ÎÄ¡£

×¢£º

1.ÓÐÉÙÊýʱ¼äevalÒªÌå»á±»assertÒªÁìÌæ»»¡£

2.$_POSTÒ²»á±»$_GET¡¢$_REQUESTÌæ»»¡£

3.z0ÊDz˵¶Ä¬ÈϵIJÎÊý
£¬Õâ¸öµØ·½Ò²ÓпÉÄܱ»ÐÞ¸ÄΪÆäËû²ÎÊýÃû¡£

ÒϽ££¨PHPÓÃbase64¼ÓÃÜ£©£º

PHPÀàWebShellÁ´½ÓÁ÷Á¿

½«ÒϽ£µÄÕýÎÄÄÚÈݾÙÐÐURL½âÂëºó
£¬Á÷Á¿×îÖÐÏÔ×ŵÄÌØÕ÷Ϊ@ini_set("display_errors","0");Õâ¶Î´úÂë»ù±¾ÊÇËùÓÐWebShell¿Í»§¶ËÁ´½ÓPHPÀàWebShell¶¼ÓеÄÒ»ÖÖ´úÂë
£¬¿ÉÊÇÓеĿͻ§¶Ë»á½«Õâ¶Î±àÂë»òÕß¼ÓÃÜ
£¬¶øÒϽ£ÊÇÃ÷ÎÄ
£¬ÒÔÊǽϺ÷¢Ã÷
£¬Í¬Ê±ÒϽ£Ò²ÓÐevalÕâÖÖÏÔ×ŵÄÌØÕ÷¡£

ÒϽ£ÈƹýÌØÕ÷Á÷Á¿

ÓÉÓÚÒϽ£ÖаüÀ¨ÁËÐí¶à¼ÓÃÜ¡¢Èƹý²å¼þ
£¬ÒÔÊǵ¼ÖÂÐí¶àÁ÷Á¿±»¼ÓÃܺóÎÞ·¨Ê¶±ð
£¬¿ÉÊÇÒϽ£»ìÏý¼ÓÃܺóÉÐÓÐÒ»¸ö½ÏÁ¿ÏÔ×ŵÄÌØÕ÷
£¬¼´Îª²ÎÊýÃû´ó¶àÒÔ¡°_0x.....=¡±ÕâÖÖÐÎʽ£¨Ï»®Ïß¿ÉÌ滻ΪÆäËû£©ÒÔÊÇ
£¬ÒÔ_0x¿ªÍ·µÄ²ÎÊýÃû
£¬ºóÃæΪ¼ÓÃÜÊý¾ÝµÄÊý¾Ý°üÒ²¿Éʶ±ðΪÒϽ£µÄÁ÷Á¿ÌØÕ÷¡£

±ùЫ£¨AES¶Ô³Æ¼ÓÃÜ£©£º

ͨ¹ýHTTPÇëÇóÌØÕ÷¼ì²â

1¡¢±ùЫÊý¾Ý°ü×ÜÊÇÅãͬ×Å´ó×ÚµÄcontent-type£ºapplicationʲôʲô
£¬ÎÞÂÛGETÕÕ¾ÉPOST
£¬ÇëÇóµÄhttpÖÐ
£¬content-typeΪapplication/octet-stream£»

2¡¢±ùЫ3.0ÄÚÖõÄĬÈÏÄÚÖÃ16¸öua£¨user-agent£©Í·

3¡¢content-length ÇëÇ󳤶È
£¬¹ØÓÚÉÏ´«Îļþ
£¬ÏÂÁîÖ´ÐÐÀ´½²
£¬¼ÓÃܵIJÎÊýδ±Ø³¤¡£¿ÉÊǹØÓÚÃÜÔ¿½»»¥
£¬»ñÈ¡»ù±¾ÐÅÏ¢À´½²
£¬payload¶¼Îª¶¨³¤

¸ç˹À­£¨base64¼ÓÃÜ£©£º

ÌØÕ÷¼ì²â

1¡¢·¢ËÍÒ»¶ÎÀο¿´úÂ루payload£©
£¬httpÏìӦΪ¿Õ

2¡¢·¢ËÍÒ»¶ÎÀο¿´úÂ루test£©
£¬Ö´ÐÐЧ¹ûΪÀο¿ÄÚÈÝ

3¡¢·¢ËÍÒ»¶ÎÀο¿´úÂ루getBacisInfo£©

¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª

°æȨÉùÃ÷£º±¾ÎÄΪCSDN²©Ö÷µÄÔ­´´ÎÄÕÂ
£¬×ñÕÕCC 4.0 BY-SA°æȨЭÒé
£¬×ªÔØÇ븽ÉÏÔ­ÎÄÀ´ÓÉÁ´½Ó¼°±¾ÉùÃ÷¡£

Ô­ÎÄÁ´½Ó£ºhttps://blog.csdn.net/eternitymd/article/details/124492261