Shulou(Shulou.com)06/03 Report--

This article mainly shows you the "example analysis of a Trojan horse in PHP", which is easy to understand and well organized. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample analysis of a Trojan horse in PHP".

What is a word Trojan horse?

In a word, a Trojan horse is a Trojan horse that needs only one line of code, and a short line of code can achieve the same function as a horse. In order to bypass waf detection, the Trojan horse has numerous deformations, but the essence is the same: the Trojan function executes the commands we send.

How do we send commands and how do we execute them?

We can submit data to a website through GET, POST and COOKIE. In one sentence, the Trojan receives the data we pass with $_ GET ['], $_ POST ['] and $_ COOKIE ['], and passes the received data to the function in the sentence Trojan that executes the command.

So most of the classic Trojans have only two parts, one is the function part that can execute the code, and the other is the part that receives data.

For example:

Where eval is the function that executes the command, and $_ POST ['a'] is the data received. The eval function executes the received data as PHP code. In this way, we can make the website with a word Trojan execute any PHP statement we passed in the past. This is the power of a Trojan horse.

Because the Trojan receives the data of "a" in the post request ($_ POST ['a']), we must send the data in the post method and assign the code we want to execute to "a". If we replace the post in the Trojan with get, then we need to send "a" in the GET method, (like this: http://127.0.0.1/test.php?a=phpinfo();) and I won't demonstrate it any more.

Use other functions to make a sentence Trojan assert function create_function function

Generate a function fun () from the data passed by the user, and then execute fun ()

Call_user_func callback function

Call_user_func this function can call other functions, the called function is the first function of call_user_func, and the parameter of the called function is the second argument of call_user_func. Such a sentence can also complete a sentence Trojan horse. Some Trojans intercepted by waf can work with this function to bypass waf.

Preg_replace function

This function is supposed to replace qualified strings with regular expressions, but this function has one function-executable commands. The first argument to this function is a regular expression, which, in PHP format, is between two "/" s. If we add "e" to the end of the expression, the second parameter of the function will be executed as code.

File_put_contents function

Using function to generate Trojan Horse

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.