Use the new features of php7 to bypass the anti-killing rules

Recently I have been studying webshell anti-virus, and I have come up with a novel point of my experience. The reason is that I suddenly thought that since php7.1 cannot use the assert of variable functions, then use the new features of php7 to bypass the anti-killing rules, and finally bypass a certain shield and "a certain d0g".

The experimental environment is in 7.1.9, and all horses cannot be used in environments below php7.

D Shield Rule Base (latest): 20191227

Because a certain d0g may cause infringement by testing its products, in order to prevent being reported, the picture will not be posted.

Pre-experiment

a certain shield

First the following code

A direct false alarm.

Therefore, it is unrealistic to directly pass parameters into eval.

So next we have to use functions and cooperate with new features of PHP to bypass it.

A certain d0g

As for a certain d0g, as long as the following code

will cause it to report falsely.

Therefore, when writing a horse-free game, the variables in post should not appear in the string in eval. Just like `b` above, although it appears as a variable in `eval`. With this foundation in mind, we can get to the point.

PHP7.0.x

[php manual-php7.0.x new features]( https://www.php.net/manual/zh/migration70.new-features.php )

Return value type declaration

php7 adds support for return value type declaration. Just add a `:type` when defining a function.

For example:

# means that the function return value type must be int. Otherwise, it will be forced to convert or a syntax error will be displayed.

If the anti-virus software with this feature is not updated, this function will not be recognized and it will be bypassed.

For example:

#You can use anti-virus software to test it.

Found not detected.

can use.

null coalescing operator

Due to the large number of situations where ternary expressions and `isset()` are used simultaneously in daily use, the null coalescing operator (*??*) is added. Syntactic sugar. If the variable exists and its value is not **`NULL`**, it will return its own value, otherwise it will return its second operand

Simply put:

How to use `? ? ` symbol, the killing software will not understand this processing process, which may lead to bypass.

Just like the following code, you can bypass a certain d0g

and then use the function call

You can find that you have passed the D shield

Test the usability

##Let’s take a look at the features of 7.1

php7.1.x

[php manual-php7.0.x new features]( https://www.php.net/manual/zh/migration71.new-features.php )

Nullable types

The types of parameters and return values ​​can now be nullable by adding a question mark before the type. When this feature is enabled, the parameters passed in or the result returned by the function are either of the given type or null .

There are more features than 7.1 `? `If ​​the function return value is not of the given type, it will be empty.

Use the same code:

No surprises

Passed D shield

Short array syntax

The short array syntax ([]) is now a fallback for the list() syntax option, which can be used to assign the value of the array to some variables (including in foreach).

Here, a list of square brackets `[] type` is used for demonstration.

In this way, the values ​​of the array are assigned to ` $c`, `$d`.`$c='a';$d='b' ;`

In this way, you can use this rarely used feature to bypass static killing

First write the simplest one:

Then we passed a certain d0g. Test it yourself.

After that, you can match the function. Like this:

Check it

Test availability

list() now supports key names

Official description: list() and its new [] syntax now support specifying key names within it. This means that it can assign any type of array to some variables (similar to the short array syntax)

This is very confusing, you may understand it after looking at the example.

eg:

You can pass a certain d0g with a little modification (self-test):

Try D Shield

Reported Level 1

Use the custom function again.

Passed D successfully to test the usability.

Support negative string offsets

Official description

Now all string operation functions that support offsets Supports accepting negative numbers as offsets, including operating string subscripts via [] or {}. In this case, a negative offset is understood as an offset from the end of the string.

In versions less than 7.1, negative offsets return an empty string.

eg:

Returns `s` in 7.1.x, but returns ` string(0) "" in previous versions `

Idea: We can split the string so that the rules cannot be recognized. Finally, use the variable variables of PHP:

so that you can pass a certain d0g. But for D shield, splicing characters and variable variables will be recognized. Reporting level 1 `suspicious files`, I have to say that this is really done very well.

End

In fact, there are many features, such as `defining a constant array through define()`, which can also be bypassed by analogy. And not only custom functions, but also classes, variable variables, etc. can be used to bypass static killing.

You can also use the `spaceship operator (combined comparison operator)`, `integer division function intdiv()`, etc. to bypass dynamic killing.

For more related articles, please pay attention to the web server security column of php Chinese website!

The above is the detailed content of Use the new features of php7 to bypass the anti-killing rules. For more information, please follow other related articles on the PHP Chinese website!