Home  >  Article  >  Operation and Maintenance  >  Use the new features of php7 to bypass the anti-killing rules

Use the new features of php7 to bypass the anti-killing rules

王林
王林forward
2020-03-04 10:45:203216browse

Use the new features of php7 to bypass the anti-killing rules

Recently I have been studying webshell anti-virus, and I have come up with a novel point of my experience. The reason is that I suddenly thought that since php7.1 cannot use the assert of variable functions, then use the new features of php7 to bypass the anti-killing rules, and finally bypass a certain shield and "a certain d0g".

The experimental environment is in 7.1.9, and all horses cannot be used in environments below php7.

D Shield Rule Base (latest): 20191227

Because a certain d0g may cause infringement by testing its products, in order to prevent being reported, the picture will not be posted.

Pre-experiment

a certain shield

First the following code

Use the new features of php7 to bypass the anti-killing rules

Use the new features of php7 to bypass the anti-killing rules

A direct false alarm.

Therefore, it is unrealistic to directly pass parameters into eval.

So next we have to use functions and cooperate with new features of PHP to bypass it.

A certain d0g

As for a certain d0g, as long as the following code

Use the new features of php7 to bypass the anti-killing rules

will cause it to report falsely.

Therefore, when writing a horse-free game, the variables in post should not appear in the string in eval. Just like `b` above, although it appears as a variable in `eval`. With this foundation in mind, we can get to the point.

PHP7.0.x

[php manual-php7.0.x new features]( https://www.php.net/manual/zh/migration70.new-features.php )

Return value type declaration

php7 adds support for return value type declaration. Just add a `:type` when defining a function.

For example:

Use the new features of php7 to bypass the anti-killing rules

# means that the function return value type must be int. Otherwise, it will be forced to convert or a syntax error will be displayed.

If the anti-virus software with this feature is not updated, this function will not be recognized and it will be bypassed.

For example:

Use the new features of php7 to bypass the anti-killing rules

#You can use anti-virus software to test it.

Use the new features of php7 to bypass the anti-killing rules

Found not detected.

Use the new features of php7 to bypass the anti-killing rules

can use.

null coalescing operator

Due to the large number of situations where ternary expressions and `isset()` are used simultaneously in daily use, the null coalescing operator (*??*) is added. Syntactic sugar. If the variable exists and its value is not **`NULL`**, it will return its own value, otherwise it will return its second operand

Simply put:

Use the new features of php7 to bypass the anti-killing rules

How to use `? ? ` symbol, the killing software will not understand this processing process, which may lead to bypass.

Just like the following code, you can bypass a certain d0g

Use the new features of php7 to bypass the anti-killing rules

and then use the function call

Use the new features of php7 to bypass the anti-killing rules

Use the new features of php7 to bypass the anti-killing rules

You can find that you have passed the D shield

Test the usability

Use the new features of php7 to bypass the anti-killing rules

##Let’s take a look at the features of 7.1

php7.1.x

[php manual-php7.0.x new features]( https://www.php.net/manual/zh/migration71.new-features.php )

Nullable types

The types of parameters and return values ​​can now be nullable by adding a question mark before the type. When this feature is enabled, the parameters passed in or the result returned by the function are either of the given type or null .

There are more features than 7.1 `? `If ​​the function return value is not of the given type, it will be empty.

Use the same code:

Use the new features of php7 to bypass the anti-killing rules

No surprises

Use the new features of php7 to bypass the anti-killing rules

Passed D shield

Short array syntax

The short array syntax ([]) is now a fallback for the list() syntax option, which can be used to assign the value of the array to some variables (including in foreach).

Here, a list of square brackets `[] type` is used for demonstration.

Use the new features of php7 to bypass the anti-killing rules

In this way, the values ​​of the array are assigned to ` $c`, `$d`.`$c='a';$d='b' ;`

In this way, you can use this rarely used feature to bypass static killing

First write the simplest one:

Use the new features of php7 to bypass the anti-killing rules

Then we passed a certain d0g. Test it yourself.

After that, you can match the function. Like this:

Use the new features of php7 to bypass the anti-killing rules

Check it

Use the new features of php7 to bypass the anti-killing rules

Test availability

Use the new features of php7 to bypass the anti-killing rules

list() now supports key names

Official description: list() and its new [] syntax now support specifying key names within it. This means that it can assign any type of array to some variables (similar to the short array syntax)

This is very confusing, you may understand it after looking at the example.

eg:

Use the new features of php7 to bypass the anti-killing rules

You can pass a certain d0g with a little modification (self-test):

Use the new features of php7 to bypass the anti-killing rules

Try D Shield

Use the new features of php7 to bypass the anti-killing rules

Reported Level 1

Use the custom function again.

Use the new features of php7 to bypass the anti-killing rules

Use the new features of php7 to bypass the anti-killing rules

Passed D successfully to test the usability.

Use the new features of php7 to bypass the anti-killing rules

Support negative string offsets

Official description

Now all string operation functions that support offsets Supports accepting negative numbers as offsets, including operating string subscripts via [] or {}. In this case, a negative offset is understood as an offset from the end of the string.

In versions less than 7.1, negative offsets return an empty string.

eg:

Use the new features of php7 to bypass the anti-killing rules

Returns `s` in 7.1.x, but returns ` string(0) "" in previous versions `

Idea: We can split the string so that the rules cannot be recognized. Finally, use the variable variables of PHP:

Use the new features of php7 to bypass the anti-killing rules

so that you can pass a certain d0g. But for D shield, splicing characters and variable variables will be recognized. Reporting level 1 `suspicious files`, I have to say that this is really done very well.

End

In fact, there are many features, such as `defining a constant array through define()`, which can also be bypassed by analogy. And not only custom functions, but also classes, variable variables, etc. can be used to bypass static killing.

You can also use the `spaceship operator (combined comparison operator)`, `integer division function intdiv()`, etc. to bypass dynamic killing.

For more related articles, please pay attention to the web server security column of php Chinese website!

The above is the detailed content of Use the new features of php7 to bypass the anti-killing rules. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:开发者热榜. If there is any infringement, please contact admin@php.cn delete