By \u5496\u5561(k4kup8_0x4154_gmail.com)<\/p>\n
[\u76ee\u5f55]<\/p>\n
1. \u7b80\u8ff0
\n2. php\u7684\u6267\u884c\u6d41\u7a0b
\n3. php\u7684\u751f\u547d\u5468\u671f
\n4. php\u6e90\u4ee3\u7801\u5206\u6790\u4ee5\u53ca\u529f\u80fd\u6027\u4ee3\u7801\u7684\u5b9e\u73b0
\n5. \u603b\u7ed3
\n6. \u53c2\u8003\u8d44\u6599
\n\u4e00\u3001\u7b80\u8ff0<\/p>\n
\u4f9d\u636ephp\u7279\u5b9a\u8fd0\u884c\u73af\u5883\u3001php\u67d0\u4e9b\u7279\u5b9a\u51fd\u6570\u7f3a\u9677\u3001php\u666e\u901a\u51fd\u6570\u53ef\u4ee5\u5b9e\u73b0\u53d8\u5316\u591a\u7aef\u7684php
\nwebshell\uff0cphp\u7248\u672c\u7684scanwebshell\u4e5f\u4e0d\u662f\u592a\u7ed9\u529b\u3002php webshell\u529f\u80fd\u6700\u5927\u5316\u5c31\u662f\u5b9e\u73b0\u6587\u4ef6\u3001
\n\u76ee\u5f55\u3001\u547d\u4ee4\u3001\u6570\u636e\u5e93\u7b49\u64cd\u4f5c\uff0c\u8fd9\u4e9b\u90fd\u662f\u57fa\u4e8ephp\u4ee3\u7801\u5b9e\u73b0\u7684\u3002\u628a\u76f8\u5173\u529f\u80fd\u5316\u7684php\u51fd\u6570\u8fd0\u884c\u53c2
\n\u6570\u63d0\u53d6\u51fa\u6765\uff0c\u7136\u540e\u505a\u4e00\u4e2a\u5224\u65ad\uff0c\u8fd9\u6837\u5c31\u80fd\u4ece\u672c\u8d28\u4e0a\u9632\u8303php webshell\uff0c\u5728php\u8fd9\u4e2a\u5c42\u9762\u5b9e\u73b0
\n\u5176\u5b89\u5168\u7684\u6700\u5927\u5316\u3002\u8fd9\u91cc\u4ecb\u7ecd\u4e0b\u901a\u8fc7\u7f16\u5199php\u6269\u5c55\u6765\u5b9e\u73b0\u8fd9\u4e2a\u601d\u8def\uff0c\u5f53\u7136\u9700\u8981\u7684\u8bdd\u4e5f\u53ef\u4ee5\u91cd\u65b0
\n\u7f16\u8bd1php\u6e90\u4ee3\u7801\u6765\u5b9e\u73b0\u3002<\/p>\n
\u9996\u5148\u6211\u4eec\u4e86\u89e3\u4e0bphp\u7684\u6267\u884c\u6d41\u7a0b\u3001php\u751f\u547d\u5468\u671f\uff0c\u63a5\u4e0b\u6765\u901a\u8fc7\u5206\u6790\u5177\u4f53\u51fd\u6570\u7684php\u6e90\u4ee3\u7801
\n\u6765\u5b9e\u73b0\u529f\u80fd\u6027\u4ee3\u7801\u3002
\n\u4e8c\u3001php\u7684\u6267\u884c\u6d41\u7a0b<\/p>\n
2.1 scanner<\/p>\n
\u5c06PHP\u4ee3\u7801\u8f6c\u6362\u4e3aTokens\uff0c\u8be6\u89c1\u4ee3\u7801Zend\/zend_language_scanner.l\u3002<\/p>\n
2.2 parser<\/p>\n
\u5c06Tokens\u8f6c\u6362\u6210\u8868\u8fbe\u5f0f\uff0c\u8be6\u89c1\u4ee3\u7801Zend\/zend_language_parser.y\u3002<\/p>\n
2.3 compile<\/p>\n
\u5c06\u8868\u8fbe\u5f0f\u7f16\u8bd1\u6210opcode\u3002opcode\u5b58\u653e\u5728op_array\u4e2d\u3002<\/p>\n
2.4 execute<\/p>\n
Zend Engine\u8c03\u7528zend_execute\u6765\u6267\u884cop_array\uff0c\u8f93\u51fa\u7ed3\u679c\u3002<\/p>\n
\u4e09\u3001php\u7684\u751f\u547d\u5468\u671f<\/p>\n
3.1 STARTUP<\/p>\n
1\u3001\u521d\u59cb\u5316\u5f15\u64ce\u548c\u6838\u5fc3\u7ec4\u4ef6\u3002
\n2\u3001\u89e3\u6790php.ini\u3002
\n3\u3001\u521d\u59cb\u5316\u9759\u6001\u6784\u5efa\u7684\u6a21\u5757(MINIT)\u3002
\n4\u3001\u521d\u59cb\u5316\u5171\u4eab\u6a21\u5757(MINIT)\u3002<\/p>\n
3.2 ACTIVATION<\/p>\n
1\u3001\u521d\u59cb\u5316\u73af\u5883\u53d8\u91cf\u3001\u53d8\u91cf\u3002
\n2\u3001\u6fc0\u6d3b\u9759\u6001\u6784\u5efa\u7684\u6a21\u5757(RINIT) \u3002
\n3\u3001\u6fc0\u6d3b\u5171\u4eab\u6a21\u5757(RINIT) \u3002<\/p>\n
3.3 RUNTIME<\/p>\n
1\u3001\u7f16\u8bd1\u548c\u6267\u884cphp.ini\u4e2dauto_prepend_file\u9009\u9879\u6307\u5b9a\u7684\u6587\u4ef6\u3002
\n2\u3001\u7f16\u8bd1\u548c\u6267\u884c\u6240\u8bf7\u6c42\u7684\u6587\u4ef6\u3002
\n3\u3001\u7f16\u8bd1\u548c\u6267\u884cphp.ini\u4e2dauto_append_file\u9009\u9879\u6307\u5b9a\u7684\u6587\u4ef6\u3002<\/p>\n
3.4 DEACTIVATION<\/p>\n
1\u3001\u8c03\u7528\u7528\u6237\u6307\u5b9a\u7684\u9000\u51fa\u51fd\u6570\u3002
\n2\u3001\u9500\u6bc1\u5bf9\u8c61\u5b9e\u4f8b\u3002
\n3\u3001\u505c\u7528\u6a21\u5757(RSHUTDOWN)\u3002
\n4\u3001\u6e05\u7a7a\u8f93\u51fa\u3002
\n5\u3001\u6e05\u7406\u73af\u5883\u3002
\n6\u3001\u91ca\u653e\u5269\u4f59\u7684\u975e\u6301\u4e45\u5185\u5b58\u3002<\/p>\n
3.5 SHUTDOWN<\/p>\n
1\u3001\u5173\u95ed\u542f\u52a8\u7684\u5168\u90e8\u6a21\u5757(MSHUTDOWN)\u3002
\n2\u3001\u5173\u95ed\u5f15\u64ce\u3002<\/p>\n
\u56db\u3001php\u6e90\u4ee3\u7801\u5206\u6790\u4ee5\u53ca\u529f\u80fd\u6027\u4ee3\u7801\u7684\u5b9e\u73b0<\/p>\n
php\u51fd\u6570\u5206\u4e3a\u4e24\u79cd\uff1a\u4e00\u79cd\u662fZend\u7684\u51fd\u6570\uff0c\u8fd9\u7c7b\u51fd\u6570\u6570\u91cf\u6bd4\u8f83\u5c11\uff0c\u6bd4\u5982eval\u51fd\u6570\u3002\u7b2c\u4e8c\u79cd
\n\u662f\u7531PHP_FUNCTION\u5b8f\u7f16\u5199\u7684\uff0c\u8fd9\u7c7b\u51fd\u6570\u6570\u91cf\u6bd4\u8f83\u591a\uff0c\u6bd4\u5982system\u51fd\u6570\u3002\u5b9e\u73b0\u5bf9\u4e24\u7c7b\u51fd\u6570\u5728\u63d0
\n\u53d6\u8fd0\u884c\u65f6\u7684\u53c2\u6570\u7684\u65b9\u5f0f\u4e5f\u4e0d\u76f8\u540c\uff0c\u6bd4\u5982\u5904\u7406eval\u51fd\u6570\u7528\u91cd\u5199zend_compile_string\u7684\u65b9\u5f0f\uff0c
\n\u800c\u5904\u7406system\u51fd\u6570\u5219\u5bf9HashTable\u64cd\u4f5c\u3002\u4e0b\u8fb9\u5c31\u4ee5eval\u51fd\u6570\u548csystem\u51fd\u6570\u4e3a\u4f8b\u8fdb\u884c\u5206\u6790\u3001\u4ee3
\n\u7801\u5b9e\u73b0\u3002<\/p>\n
4.1 eval\u51fd\u6570\u4ee3\u7801\u5206\u6790\u4e0e\u4ee3\u7801\u5b9e\u73b0<\/p>\n
\u9996\u5148\u6211\u4eec\u770bphp\u6e90\u4ee3\u7801\u4e2deval\u51fd\u6570\u662f\u5982\u4f55\u5b9e\u73b0\u7684\uff0c\u90e8\u5206\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
–code————————————————————————-
\n\/\/ PHPSRC\/Zend\/zend_vm_def.h<\/p>\n
if (inc_filename->type!=IS_STRING) {
\ntmp_inc_filename = *inc_filename;
\nzval_copy_ctor(&tmp_inc_filename);
\nconvert_to_string(&tmp_inc_filename);
\ninc_filename = &tmp_inc_filename;
\n}<\/p>\n
case ZEND_EVAL: {
\n\/* \u8c03\u7528zend_make_compiled_string_description\u51fd\u6570 *\/
\nchar *eval_desc = zend_make_compiled_string_description(“eval()”d code” TSRMLS_CC);
\n\/* \u8c03\u7528zend_compile_string\u51fd\u6570 *\/
\nnew_op_array = zend_compile_string(inc_filename, eval_desc TSRMLS_CC);
\nefree(eval_desc);
\n}
\n\/* \u6267\u884cop_array *\/
\nzend_execute(new_op_array TSRMLS_CC);<\/p>\n
\/\/PHPSRC\/Zend\/zend.c<\/p>\n
#define COMPILED_STRING_DESCRIPTION_FORMAT “%s(%d) : %s”
\nZEND_API char *zend_make_compiled_string_description(char *name TSRMLS_DC)
\n{
\nzend_spprintf(&compiled_string_description, 0, COMPILED_STRING_DESCRIPTION_FORMAT, cur_filename, cur_lineno, name);
\nreturn compiled_string_description; \/\/\u8fd4\u56de\u503c\u5305\u542b”eval()”d code”\u5b57\u7b26\u4e32
\n}<\/p>\n
\/\/PHPSRC\/Zend\/zend_compile.c<\/p>\n
ZEND_API zend_op_array *(*zend_compile_string)(zval *source_string, char *filename TSRMLS_DC);<\/p>\n
zend_compile_string\u4e00\u4e2a\u51fd\u6570\u6307\u9488\u3002\u4e0b\u8fb9\u770b\u4e0b\u5f15\u64ce\u521d\u59cb\u5316\u7684\u65f6\u5019\u5bf9zend_compile_string\u7684\u64cd\u4f5c\u3002<\/p>\n
int zend_startup(zend_utility_functions *utility_functions, char **extensions, int start_builtin_functions)
\n{
\nzend_compile_string = compile_string; \/\/\u5bf9zend_compile_string\u51fd\u6570\u7684\u5730\u5740\u8d4b\u503c
\n——————————————————————————-<\/p>\n
\u53ea\u8981\u68c0\u67e5op_array\u4e2d\u662f\u5426\u542b\u6709”eval()”d code”\u5b57\u7b26\u4e32\uff0c\u5c31\u80fd\u5224\u65ad\u662f\u5426\u662f\u5728\u6267\u884ceval\u51fd\u6570\u3002
\n\u5728\u5f15\u64ce\u521d\u59cb\u5316\u7684\u65f6\u5019\uff0c\u9ed8\u8ba4\u4f1a\u5c06compile_string\u51fd\u6570\u7684\u5730\u5740\u8d4b\u503c\u7ed9zend_compile_string\uff0c
\ncompile_string\u51fd\u6570\u5219\u8fd4\u56de\u4e00\u4e2a\u6307\u5411zend_op_array\u7684\u6307\u9488\u3002\u5982\u679c\u80fd\u5728php\u4ee3\u7801\u7f16\u8bd1\u4e4b\u524d\u5bf9
\nzend_compile_string\u8fdb\u884c\u91cd\u5199\uff0c\u90a3\u4e48\u5c31\u80fd\u8fbe\u5230\u52ab\u6301\u7684\u76ee\u7684\u3002\u6839\u636ephp\u7684\u751f\u547d\u5468\u671f\uff0c\u5bf9
\nzend_compile_string\u8fdb\u884c\u91cd\u5199\u5e94\u8be5\u653e\u5728STARTUP\u6216\u8005ACTIVATION\u8fd9\u4e24\u4e2a\u9636\u6bb5\uff0c\u800c\u7f16\u5199php\u6269
\n\u5c55\u6240\u4f7f\u7528\u5230\u7684PHP_MINIT_FUNCTION\u548cPHP_RINIT_FUNCTION\u5b8f\u5c31\u5206\u522b\u5904\u5728STARTUP\u548cACTIVATION
\n\u8fd9\u4e2a\u4e24\u4e2a\u9636\u6bb5\uff0c\u8fd9\u662f\u4e3a\u4ec0\u4e48\u5462\uff1f\u6211\u4eec\u5148\u770b\u4e0bphp.h\u4ee3\u7801\u4e2d\u5bf9PHP_MINIT_FUNCTION\u5b8f\u7684\u5b9a\u4e49\u3002<\/p>\n
–code————————————————————————-
\n#define PHP_MINIT_FUNCTION ZEND_MODULE_STARTUP_D
\n\/\/ZEND_MODULE_STARTUP_D\u5b9a\u4e49\u5728zend_API.h
\n#define ZEND_MODULE_STARTUP_D(module) int ZEND_MODULE_STARTUP_N(module)(INIT_FUNC_ARGS)
\n\/\/ZEND_MODULE_STARTUP_N\u5b9a\u4e49\u5728zend_API.h
\n#define ZEND_MODULE_STARTUP_N(module)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 zm_startup_##module
\n\/\/INIT_FUNC_ARGS\u5b9a\u4e49\u5728zend_modules.h
\n#define INIT_FUNC_ARGS int type, int module_number TSRMLS_DC
\n——————————————————————————-<\/p>\n
PHP_MINIT_FUNCTION(module)\u7684\u539f\u578b\u5c31\u662f\uff1a<\/p>\n
–code————————————————————————-
\nzm_startup_module(int type, int module_number TSRMLS_DC)
\n——————————————————————————-<\/p>\n
\u540c\u6837\u7684PHP_RINIT_FUNCTION(module)\u7684\u539f\u578b\u4e3a:<\/p>\n
–code————————————————————————-
\nzm_activate_module(int type, int module_number TSRMLS_DC)
\n——————————————————————————-<\/p>\n
\u5173\u4e8e\u5bf9eval\u51fd\u6570\u8fd0\u884c\u53c2\u6570\u622a\u53d6\u5206\u6790\u7684\u5b9e\u73b0\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
–code————————————————————————-
\n#define OVECCOUNT 30
\n\/* \u5177\u4f53\u6b63\u5219\u8868\u8fbe\u5f0f\u8981\u6309\u7167\u5177\u4f53\u7684\u9700\u6c42\u6765\u5199\uff0c\u4e0b\u9762\u6b63\u5219\u4ec5\u4e3a\u6d4b\u8bd5\u7528 *\/
\n#define eval_regex_value\u00a0\u00a0 “(((chr\\(\\d*?\\)|base64_decode\\(|eval|gzinflate\\(|system|shell_exec|popen|pclose|proc_close|proc_get_status|proc_nice|proc_terminate|exec|passthru|show_source|escapeshellcmd|escapeshellarg system|shell_exec|popen|pclose|proc_open|proc_close|proc_get_status|proc_nice|proc_terminate|exec|passthru|show_source|escapeshellcmd|escapeshellarg)\\([{}”$\\w\\s]*?\\));).*?”<\/p>\n
static zend_op_array* (*old_compile_string)(zval *source_string, char *filename TSRMLS_DC);
\nstatic zend_op_array* safe_compile_string(zval *source_string, char *filename TSRMLS_DC);<\/p>\n
PHP_RINIT_FUNCTION(safe) \/\/PHP_MINIT_FUNCTION(safe)\u4e5f\u53ef
\n{
\nsafe_hook_execute();
\nreturn SUCCESS;
\n}<\/p>\n
PHP_RSHUTDOWN_FUNCTION(safe) \/\/PHP_MSHUTDOWN_FUNCTION(safe)\u4e5f\u53ef
\n{
\nsafe_unhook_execute();
\nreturn SUCCESS;
\n}<\/p>\n
int matchpattern(char *src, char *pattern, int i) \/\/\u6b63\u5219\u5339\u914d\u51fd\u6570
\n{
\npcre *re;
\nconst char *error;
\nint erroffset;
\nint ovector[OVECCOUNT];
\nint rc;
\nchar *substring_start;
\nint substring_length;
\nTSRMLS_FETCH();<\/p>\n
re = pcre_compile(pattern, PCRE_CASELESS|PCRE_DOTALL, &error, &erroffset, NULL);
\nif(re == NULL) {
\n\/\/printf(“PCRE compilation failed at offset %d: %s
\n“, erroffset, error);
\nreturn 1;
\n}<\/p>\n
rc = pcre_exec(re, NULL, src, strlen(src), 0, 0, ovector, OVECCOUNT);
\nif(rc >= 0) {
\nsubstring_start = src + ovector[2*i];
\nsubstring_length = ovector[2*i+1] – ovector[2*i];<\/p>\n
printf(“Match_result: %.*s
\n“, substring_length, substring_start);
\nprintf(“Filename\u00a0\u00a0\u00a0 : %-40s
\n“, zend_get_executed_filename(TSRMLS_C));
\nprintf(“Line\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : %-50i
\n“, zend_get_executed_lineno(TSRMLS_C));
\n}
\nfree(re);
\nreturn rc;
\n}<\/p>\n
static zend_op_array *safe_compile_string(zval *source_string, char *filename TSRMLS_DC)
\n{
\nchar *eval_strings;
\nint x;
\nzend_op_array *op_array;<\/p>\n
op_array = old_compile_string(source_string, filename TSRMLS_CC);<\/p>\n
\/* \u8fc7\u6ee4\u975eeval\u51fd\u6570 *\/
\nif(!strstr(op_array->filename, “eval()”d code”)) {
\nreturn old_compile_string(source_string, filename TSRMLS_CC);
\n}
\n\/* \u5c06source_string\u5b57\u7b26\u4e32\u8d4b\u503c\u7ed9eval_strings *\/
\neval_strings = estrndup(Z_STRVAL_P(source_string), Z_STRLEN_P(source_string));<\/p>\n
printf(“%s”,”
\n“);
\nprintf(“Function\u00a0\u00a0\u00a0 : %-40s
\n“, “eval”);
\nx = matchpattern(eval_strings, eval_regex_value, 1);
\nif (x < 0)
\n{
\nreturn old_compile_string(source_string, filename TSRMLS_CC);
\n}
\nelse if(x >= 0)
\nreturn FALSE;
\n}<\/p>\n
int safe_hook_execute()
\n{
\nold_compile_string = zend_compile_string;
\nzend_compile_string = safe_compile_string;
\nsystem_hook_system();\u00a0 \/\/\u5bf9\u5e94\u540e\u8fb9\u5bf9system\u51fd\u6570\u7684\u64cd\u4f5c
\nreturn TRUE;
\n}<\/p>\n
int safe_unhook_execute()
\n{
\nzend_compile_string = old_compile_string;
\nreturn TRUE;
\n}
\n——————————————————————————-<\/p>\n
4.2 system\u51fd\u6570\u4ee3\u7801\u5206\u6790\u4e0e\u4ee3\u7801\u5b9e\u73b0<\/p>\n
\u9996\u5148\u6211\u4eec\u770bphp\u6e90\u4ee3\u7801\u4e2dsystem\u51fd\u6570\u662f\u5982\u4f55\u5b9e\u73b0\u7684\uff0c\u90e8\u5206\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
–code————————————————————————-
\n\/\/PHPSRCextstandardexec.c<\/p>\n
PHP_FUNCTION(system)
\n{
\n\/* \u8c03\u7528php_exec_ex\u51fd\u6570 *\/
\nphp_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 1);
\n}<\/p>\n
static void php_exec_ex(INTERNAL_FUNCTION_PARAMETERS, int mode)
\n{
\nchar *cmd;<\/p>\n
if (!ret_array) {
\n\/* \u8c03\u7528php_exec\u51fd\u6570 *\/
\nret = php_exec(mode, cmd, NULL, return_value TSRMLS_CC);
\n} else {
\nif (Z_TYPE_P(ret_array) != IS_ARRAY) {
\nzval_dtor(ret_array);
\narray_init(ret_array);
\n}
\nret = php_exec(2, cmd, ret_array, return_value TSRMLS_CC);
\n——————————————————————————-<\/p>\n
\u63a5\u4e0b\u6765\u770bphp_exec\u51fd\u6570\u7684\u5b9a\u4e49\u3002<\/p>\n
–code————————————————————————-
\nint php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_DC)
\n{
\nchar *cmd_p, *b, *c, *d=NULL;<\/p>\n
if (PG(safe_mode)) {
\ncmd_p = php_escape_shell_cmd(d);
\nefree(d);
\nd = cmd_p;
\n} else {
\ncmd_p = cmd;<\/p>\n
#ifdef PHP_WIN32
\nfp = VCWD_POPEN(cmd_p, “rb”); \/\/\u8c03\u7528VCWD_POPEN\u51fd\u6570
\n——————————————————————————-<\/p>\n
\u63a5\u4e0b\u6765\u770bVCWD_POPEN\u51fd\u6570\u7684\u5b9a\u4e49\u3002<\/p>\n
–code————————————————————————-
\n\/\/TSRM srm_virtual_cwd.c<\/p>\n
#ifdef TSRM_WIN32 \/\/\u4ee5windows\u5e73\u53f0\u4e3a\u4f8b<\/p>\n
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC)
\n{
\nreturn popen_ex(command, type, CWDG(cwd).cwd, NULL);\/\/\u8c03\u7528popen_ex\u51fd\u6570
\n}
\n——————————————————————————-<\/p>\n
\u63a5\u4e0b\u6765\u770bpopen_ex\u51fd\u6570\u7684\u5b9a\u4e49\u3002<\/p>\n
–code————————————————————————-
\n\/\/TSRM srm_win32.c<\/p>\n
TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, char *env)
\n{
\nchar *cmd;<\/p>\n
cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(” \/c “));
\nsprintf(cmd, “%s \/c %s”, TWG(comspec), command);
\nif (!CreateProcess(NULL, cmd, &security, &security, security.bInheritHandle, NORMAL_PRIORITY_CLASS|CREATE_NO_WINDOW, env, cwd, &startup, &process)) {
\nreturn NULL;
\n}
\nfree(cmd);
\n——————————————————————————-<\/p>\n
\u4e0a\u8fb9\u662fsystem\u51fd\u6570\u6267\u884c\u7684\u53c2\u6570\u4f20\u9012\u7684\u8fc7\u7a0b\uff0c\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\u5982\u679c\u53ef\u4ee5\u622a\u53d6\u51fd\u6570\u6267\u884c\u7684\u53c2\u6570
\n\u7684\u8bdd\uff0c\u5c31\u53ef\u4ee5\u5206\u6790\u53c2\u6570\u662f\u5426\u5305\u542b\u5371\u9669\u7684\u5173\u952e\u5b57\u3002\u4e3a\u4e86\u65b9\u4fbf\u7f16\u5199\u6269\u5c55\u7a0b\u5e8f\uff0c\u6211\u4eec\u76f4\u63a5\u5728exec.c
\n\u4e2dphp_exec\u51fd\u6570\u4e2d\u6dfb\u52a0\u622a\u53d6\u4ee3\u7801\uff0c\u4e5f\u5c31\u662f\u5728php_exec_ex\u51fd\u6570\u8c03\u7528php_exec\u51fd\u6570\u4e4b\u524d\u7684\u4f4d\u7f6e\u3002
\n\u6dfb\u52a0\u5982\u4e0b\u4ee3\u7801\u5373\u53ef\u83b7\u53d6\u6267\u884c\u7684\u53c2\u6570\uff1a<\/p>\n
–code————————————————————————-
\nx = matchpattern(cmd, system_regex_value, 0);\/\/\u8c03\u7528\u6b63\u5219\u51fd\u6570\u8fdb\u884c\u5224\u65ad
\nif(x >= 0) RETURN_FALSE;
\n——————————————————————————-<\/p>\n
\u4e0b\u8fb9\u6211\u4eec\u5206\u6790\u600e\u4e48\u5b9e\u73b0\u5bf9system\u51fd\u6570\u7684\u91cd\u5199\uff0c\u8fd9\u91cc\u4e3b\u8981\u53c2\u7167main.c\u6587\u4ef6\u4e2d\u5b9e\u73b0php.ini
\n\u4e2ddisable_functions\u529f\u80fd\u7684php_disable_functions\u51fd\u6570\uff0c\u5b83\u8c03\u7528\u4e86zend_disable_function\u3002<\/p>\n
–code————————————————————————-
\nZEND_API int zend_disable_function(char *function_name, uint function_name_length TSRMLS_DC)
\n{
\nif (zend_hash_del(CG(function_table), function_name, function_name_length+1)==FAILURE) {
\nreturn FAILURE;
\n}
\ndisabled_function[0].fname = function_name;
\nreturn zend_register_functions(NULL, disabled_function, CG(function_table), MODULE_PERSISTENT TSRMLS_CC);
\n}
\n——————————————————————————-<\/p>\n
\u540c\u6837\u6211\u4eec\u53ef\u4ee5\u7528zend_hash_del\u51fd\u6570\u5c06system\u4ecefunction_table\u4e2d\u5220\u9664\uff0c\u7136\u540e\u6ce8\u518c\u65b0\u7684
\nzend\u51fd\u6570\uff0c\u4ee5\u8fbe\u5230\u5bf9system\u51fd\u6570\u52ab\u6301\u7684\u76ee\u7684\u3002<\/p>\n
system\u4f5c\u4e3a\u4e00\u4e2a\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684\u51fd\u6570\uff0c\u5728\u8fd9\u91cc\u8fdb\u884c\u4e86\u7981\u7528\u64cd\u4f5c\uff0c\u6ca1\u6709\u4f7f\u7528\u6b63\u5219\u5904\u7406\u51fd\u6570
\n\u8fdb\u884c\u53c2\u6570\u7684\u68c0\u67e5\uff0c\u5f53\u7136\u4e5f\u53ef\u4ee5\u6839\u636e\u5177\u4f53\u7684\u9700\u6c42\u8fdb\u884c\u5177\u4f53\u7684\u64cd\u4f5c\u3002<\/p>\n
\u5b9e\u73b0\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
–code————————————————————————-
\n\/* \u58f0\u660e\u5bfc\u51fa\u51fd\u6570 *\/
\nPHP_FUNCTION(system1)
\n{
\nprintf(“%s”,”
\n“);
\nprintf(“Function\u00a0\u00a0\u00a0 : %-40s
\n“, “system”);
\nprintf(“Filename\u00a0\u00a0\u00a0 : %-40s
\n“, zend_get_executed_filename(TSRMLS_C));
\nprintf(“Line\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : %-50i
\n“, zend_get_executed_lineno(TSRMLS_C));
\nprintf(“%s”,”system function is disabled.”);
\n}<\/p>\n
\/* \u58f0\u660e Zend \u51fd\u6570\u5757 *\/
\nzend_function_entry hook_system_functions[] = {
\nPHP_FALIAS(system, system1, NULL) \/\/ \u521b\u5efasystem\u522b\u540d
\n{NULL, NULL, NULL}
\n};<\/p>\n
\/* \u521b\u5efasystem hook\u51fd\u6570 *\/
\nint safe_hook_system()
\n{
\nTSRMLS_FETCH();
\n\/* \u5220\u9664function_table\u4e2d\u7684system\u51fd\u6570 *\/
\nzend_hash_del(CG(function_table), “system”, sizeof(“system”));<\/p>\n
\/* \u6ce8\u518c\u65b0zend\u51fd\u6570 *\/
\n#ifndef ZEND_ENGINE_2
\nzend_register_functions(hook_system_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
\n#else
\nzend_register_functions(NULL, hook_system_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
\n#endif
\nreturn 0;
\n}
\n——————————————————————————-<\/p>\n
4.3 demo\u8fd0\u884c\u6548\u679c<\/p>\n
4.3.1 \u52a0\u8f7dphp\u6269\u5c55<\/p>\n
——————————————————————————-
\nC:phpext>type php.ini | findstr “^extension=”
\nextension=php_safe.dll<\/p>\n
C:phpext>php 3.php<\/p>\n
Function\u00a0\u00a0\u00a0 : system
\nFilename\u00a0\u00a0\u00a0 : C:phpext3.php
\nLine\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 3<\/p>\n
system function is disabled.<\/p>\n
Function\u00a0\u00a0\u00a0 : eval
\nMatch_result: exec(“ver”);
\nFilename\u00a0\u00a0\u00a0 : C:phpext3.php
\nLine\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 9
\n——————————————————————————-<\/p>\n
4.3.2 \u4e0d\u52a0\u8f7dphp\u6269\u5c55<\/p>\n
——————————————————————————-
\nC:phpext>type php.ini | findstr “^extension=”<\/p>\n
C:phpext>php 3.php<\/p>\n
Microsoft Windows XP [\u7248\u672c 5.1.2600]
\n——————————————————————————-<\/p>\n
\u4e94\u3001\u603b\u7ed3<\/p>\n
\u5b9e\u73b0php webshell\u7684\u529f\u80fd\u6027\u51fd\u6570\u4f17\u591a\uff0c\u6211\u4eec\u505a\u5230\u63a7\u5236\u5173\u952e\u6027\u7684\u51fd\u6570\u8db3\u4ee5\u3002\u5f53\u7136\u5b9e\u73b0\u51fd\u6570
\n\u622a\u53d6\u8981\u6839\u636e\u51fd\u6570\u7684\u60c5\u51b5\u8fdb\u884c\u4e00\u4e00\u7684\u5206\u6790\uff0c\u7136\u540e\u505a\u76f8\u5e94\u7684\u5224\u65ad\u3002<\/p>\n
\u6700\u540e\u8981\u611f\u8c22\u4e0bSuperHei\uff0c\u6587\u7ae0\u4e0d\u8db3\u4e4b\u5904\u8bf7\u65a7\u6b63\u3002<\/p>\n
\u516d\u3001\u53c2\u8003\u8d44\u6599<\/p>\n
[1] php\u6e90\u4ee3\u7801\u00a0 http:\/\/www.php.net
\n[2] PHP Extension Writing http:\/\/talks.somabo.de\/200903_montreal_php_extension_writing.pdf<\/p>\n
-EOF-<\/p>\n","protected":false},"excerpt":{"rendered":"
By \u5496\u5561(k4kup8_0x4154_gmail.com) [\u76ee\u5f55] 1. \u7b80 …<\/p>\n