关于php对抗安全软件(总结)
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span>日期为2018-05-10,php版本<span style="color: black;">日前</span>总共分为3大类,php5.x,php7.x,以及之php5.x之前版本。而<span style="color: black;">日前</span>市场多用于php5.x以及php7.x。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">本文仅讨论php5.x与php7.x。<span style="color: black;">初期</span>php4.x中 ZendEngine 1.0 API并不在讨论范围。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">文案</span>将围绕几个<span style="color: black;">专题</span>来对抗安全软件:</span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php本身的变形,加密等<span style="color: black;">是不是</span><span style="color: black;">能够</span>完全胜任一个优秀的backdoor,并且对抗安全软件。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">怎样</span>将<span style="color: black;">拜访</span>.php,的协议转换来对抗waf,<span style="color: black;">例如</span>http,转化tcp,tcp->tcp方式触发后门</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">思虑</span>backdoor本身的特性,<span style="color: black;">增多</span>标签,如标签1临时性,标签2<span style="color: black;">连续</span>性(<span style="color: black;">例如</span>标签1用户菜刀的连接,查看<span style="color: black;">目的</span>数据库<span style="color: black;">或</span>backdoor服务器本身的其他文件等。标签2来触发<span style="color: black;">连续</span>性渗透,<span style="color: black;">例如</span>无缝连接msf,Cobalt Strike等)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">思虑</span><span style="color: black;">怎样</span>在<span style="color: black;">目的</span>服务器无文件残留来留有可<span style="color: black;">连续</span>性后门</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">实用性与实战性,<span style="color: black;">例如</span><span style="color: black;">目的</span>机不出网。<span style="color: black;">那样</span>该后门<span style="color: black;">是不是</span><span style="color: black;">能够</span><span style="color: black;">处理</span><span style="color: black;">目的</span>机在不出网的前提下,带入第三方渗透框架(如msf,Cobalt Strike等)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">针对性自定义<span style="color: black;">敏锐</span><span style="color: black;">目的</span>的<span style="color: black;">敏锐</span>数据。(如<span style="color: black;">目的</span><span style="color: black;">运用</span>wordpress,<span style="color: black;">怎样</span>在不修改<span style="color: black;">目的</span>机php登录源码来可<span style="color: black;">连续</span>性劫持明文<span style="color: black;">秘码</span>)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">backdoor的市场性质与私用性质</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">总结</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/5u08OUQmyqczlZsascKZueozSHcib2mQpqQFgY1LJNWibBwhey3bIjjb1XR3yTc3UzKwtRrQ80Keh3QxJvCF7SHQ/640?wx_fmt=jpeg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">无</span><span style="color: black;">论</span><span style="color: black;">是哪个版本的</span><span style="color: black;">php</span><span style="color: black;">,它的引擎都<span style="color: black;">海量</span>的<span style="color: black;">运用</span>了</span><span style="color: black;">HashTable</span><span style="color: black;">,<span style="color: black;">倘若</span></span><span style="color: black;">说</span><span style="color: black;">php</span><span style="color: black;">是最好的</span><span style="color: black;">语</span><span style="color: black;">言之一,<span style="color: black;">那样</span><span style="color: black;">必定</span>是在</span><span style="color: black;">说</span><span style="color: black;">HashTable</span><span style="color: black;">。</span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">期</span><span style="color: black;">间补</span><span style="color: black;">充<span style="color: black;">海量</span></span><span style="color: black;">php</span><span style="color: black;">内核<span style="color: black;">关联</span>知</span><span style="color: black;">识</span><span style="color: black;">,可直接跳到</span><strong style="color: blue;"><span style="color: black;">操作</span></strong><strong style="color: blue;"><span style="color: black;">总结</span></strong><strong style="color: blue;"><span style="color: black;">。</span></strong></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php语言本身的变形<span style="color: black;">或</span>加密等,<span style="color: black;">日前</span>并<span style="color: black;">不可</span>完全对抗安全软件,并且<span style="color: black;">做为</span>以backdoor的形式。<span style="color: black;">例如</span>易暴露,易查杀等。而本身<span style="color: black;">亦</span>不具备多标签属性。如临时<span style="color: black;">运用</span>,与<span style="color: black;">连续</span>渗透<span style="color: black;">运用</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">waf是<span style="color: black;">经过</span>执行一系列针对HTTP/HTTPS的安全策略防护,而<span style="color: black;">做为</span>backdoor,应尽可能避免http协议来<span style="color: black;">连续</span>连接后门。如hook,phpinfo(),当<span style="color: black;">拜访</span>phpinfo(),<span style="color: black;">目的</span>机<span style="color: black;">起始</span>触发tcp监听,并且sharing port 80。连接后门是tcp(攻击机)->tcp(<span style="color: black;">目的</span>机),来躲避waf的防御的本质。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span>的安全软件针对backdoor越来越强大。而backdoor的多属性标签<span style="color: black;">行径</span><span style="color: black;">掰开</span>来对抗软件。(如:backdoor有2种标签属性,一种标签是执行任意php代码[临时<span style="color: black;">运用</span>,如菜刀连接],另一种标签是hook func或是开启其他功能,<span style="color: black;">然则</span>触发backdoor的点却完全<span style="color: black;">区别</span>,这与传统php_backdoor有着本质的区别,如想要触发php代码任意执行,<span style="color: black;">拜访</span>页面1触发,而触发hook 是被动触发,触发listen,<span style="color: black;">拜访</span>页面2来触发。而页面1与2无任何<span style="color: black;">相关</span>)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">针对php的扩展<span style="color: black;">研发</span>,<span style="color: black;">同期</span>要<span style="color: black;">思虑</span>到backdoor本身是私用还是项目<span style="color: black;">或</span>公用。如私用的backdoor,<span style="color: black;">更加多</span><span style="color: black;">思虑</span>的是稳定性,<span style="color: black;">长时间</span>性,而非易用性,通用性。如项目<span style="color: black;">或</span>公用的backdoor优先<span style="color: black;">思虑</span>到易用性与通用性,如全版本的phpbackdoor,<span style="color: black;">同期</span>支持php5.x,php7.x等,它是一个很好的公用性质的backdoor,<span style="color: black;">然则</span>绝对不是一个优秀的私用backdoor。因在实现中,需要<span style="color: black;">思虑</span>到PHP_MAJOR_VERSION问题。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">常常</span>在实战过程中,<span style="color: black;">目的</span>机存在不出网的环境,<span style="color: black;">亦</span><span style="color: black;">便是</span>你<span style="color: black;">能够</span><span style="color: black;">拜访</span>它,<span style="color: black;">然则</span><span style="color: black;">目的</span>机不<span style="color: black;">能够</span>对外<span style="color: black;">拜访</span>。<span style="color: black;">增多</span>了对<span style="color: black;">目的</span>内网以及PC机的渗透时间成本。<span style="color: black;">这儿</span>需要<span style="color: black;">思虑</span>到1,针对不出网的前提下,backdoor本身的sharing port,以及<span style="color: black;">能够</span>无缝对接渗透框架(如msf,Cobalt Strike等)。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">渗透大型<span style="color: black;">目的</span>(如mail服务商)<span style="color: black;">或</span>大型<span style="color: black;">机构</span>域内员工OA,<span style="color: black;">或</span>mail(php结构),需要时时得到user,password明文,<span style="color: black;">倘若</span><span style="color: black;">目的</span>重要<span style="color: black;">或</span>数据<span style="color: black;">敏锐</span>,更<span style="color: black;">或</span>是对方源码加密,<span style="color: black;">针对</span>更改<span style="color: black;">目的</span>登录源码来获取并不是一个明智的<span style="color: black;">办法</span>,<span style="color: black;">那样</span>需要优先<span style="color: black;">思虑</span><span style="color: black;">怎样</span>hook func(post user,pass)--> 写入本地,<span style="color: black;">或</span>发送远程mail,来时时获取。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP的全局变量始终存在,而在内核hash中<span style="color: black;">保留</span>在EG(symbol_table),而全局变量的<span style="color: black;">拜访</span>无论是语言本身还是在内核中,语法基本一致。</p>global $micropoor;表达为&EG(symbol_table), micropoor,除全局变量以外,在php语言中还存在超全局变量,$_SERVER、$_REQUEST、$_POST、$_GET等,<span style="color: black;">然则</span>在内核中,超全局变量<span style="color: black;">实质</span>是php内核中定义的<span style="color: black;">有些</span>全局变量。<span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php-src-master\main\php_variables.c:908-917</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">void php_startup_auto_globals(void)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">{</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_GET", sizeof("_GET")-1, 1), 0, php_auto_globals_create_get);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_POST", sizeof("_POST")-1, 1), 0, php_auto_globals_create_post);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_COOKIE", sizeof("_COOKIE")-1, 1), 0, php_auto_globals_create_cookie);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_SERVER", sizeof("_SERVER")-1, 1), PG(auto_globals_jit), php_auto_globals_create_server);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> zend_register_auto_global(zend_string_init_interned("_ENV", sizeof("_ENV")-1, 1), PG(auto_globals_jit), php_auto_globals_create_env);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_REQUEST", sizeof("_REQUEST")-1, 1), PG(auto_globals_jit), php_auto_globals_create_request);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_FILES", sizeof("_FILES")-1, 1), 0, php_auto_globals_create_files);</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">}</p>
</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">跟zend_register_auto_global</span></p><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php-src-master\Zend\zend_compile.c:1649-1661</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">int zend_register_auto_global(zend_string *name, zend_bool jit, zend_auto_global_callback auto_global_callback) /* {{{ */</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">{</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> zend_auto_global auto_global;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> int retval;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> auto_global.name = name;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> auto_global.auto_global_callback = auto_global_callback;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> auto_global.jit = jit;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">retval = zend_hash_add_mem(CG(auto_globals), auto_global.name, &auto_global, sizeof(zend_auto_global)) != NULL ? SUCCESS : FAILURE;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> return retval;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">}</p></span><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">把对象<span style="color: black;">保留</span>CG(auto_globals)这个全局变量,正如上文,在内核中,超全局变量<span style="color: black;">实质</span>为php内核定义的全局变量。<span style="color: black;">保留</span>在CG。</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"> 而backdoor常用除EG,CG辅助宏外,其他辅助宏为:</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">EG();//<span style="color: black;">全局变量</span> executor_globals <span style="color: black;">如</span>$_GLOBALS,INI<span style="color: black;">信息</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SG();//SAPI<span style="color: black;">变量</span> <span style="color: black;">请求数据</span> sapi_globals_struct <span style="color: black;">如</span>:HTTP<span style="color: black;">原始请求变量</span>sapi_request_info</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CG();//<span style="color: black;">编译变量</span> compiler_globals <span style="color: black;"><span style="color: black;">能够</span>得到函数表</span>,<span style="color: black;">类表</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">EX();//<span style="color: black;">当前执行数据</span> zend_execute_data <span style="color: black;"><span style="color: black;">能够</span>获取到当前执行的函数</span>,<span style="color: black;">类</span>,OPCODE<span style="color: black;">等</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">OG();//<span style="color: black;">输出变量</span> output_globals</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">认识</span>了超全局变量,全局变量,常量等,<span style="color: black;">倘若</span>需要hook 自定义或本身函数,还需声明导出函数,Zend本身<span style="color: black;">供给</span>了一组宏,类型为void</span></p>// function declaration
PHP_MINIT_FUNCTION(my_extension);
// ... some code ...
zend_module_entry my_extension_module_entry = {
#if ZEND_MODULE_API_NO >= 20010901
STANDARD_MODULE_HEADER,
#endif
"my_extension",
my_extension_functions,
PHP_MINIT(my_extension),
NULL,
NULL,
NULL,
NULL,
#if ZEND_MODULE_API_NO >= 20010901
"1.0",
#endif
STANDARD_MODULE_PROPERTIES
};
// ... some code ...
// function implementation
PHP_MINIT_FUNCTION(hosting_tools)
{
REGISTER_INI_ENTRIES();
return SUCCESS;
}<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在php请求过程中,需要调用HashTable来<span style="color: black;">查询</span>全局变量<span style="color: black;">或</span>hook func,几个原型如下:</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">uint32_t zend_hash_num_elements(HashTable *ht); // <span style="color: black;">获取数组<span style="color: black;">体积</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zval* zend_hash_find(HashTable *ht, zend_string *key); //<span style="color: black;"><span style="color: black;">按照</span></span> zend_string * <span style="color: black;"><span style="color: black;">做为</span></span> key <span style="color: black;"><span style="color: black;">查询</span>数组</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">zval* zend_hash_str_find(HashTable *ht, </span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str, </span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len); // <span style="color: black;"><span style="color: black;">按照</span></span><span style="color: black;"> char * </span><span style="color: black;"><span style="color: black;">做为</span></span><span style="color: black;"> key </span><span style="color: black;"><span style="color: black;">查询</span>数组</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zval* zend_hash_index_find(HashTable *ht, zend_ulong h); //<span style="color: black;"><span style="color: black;">查询</span>索引</span> h <span style="color: black;">的数组元素</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">void* zend_hash_find_ptr(HashTable *ht, zend_string *key); // <span style="color: black;">同上,只是返回元素指针指向的值</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">void* zend_hash_str_find_ptr(HashTable *ht, </span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str, </span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len); // <span style="color: black;">跟上同类</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">void* zend_hash_index_find_ptr(HashTable *ht, zend_ulong h); // <span style="color: black;">跟上同类</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_bool zend_hash_exists(HashTable *ht, zend_string *key); // zend_string * key<span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">zend_bool zend_hash_str_exists(HashTable *ht, </span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str, </span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len); // char * key <span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_bool zend_hash_index_exists(HashTable *ht, zend_ulong h); //<span style="color: black;">索引</span> h <span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_array *HASH_OF(zval *val); // <span style="color: black;">其实</span> HASH_OF <span style="color: black;">是一个宏,参数</span> value <span style="color: black;"><span style="color: black;">能够</span>是数组</span> `IS_ARRAY` <span style="color: black;"><span style="color: black;">或</span>对象</span> `IS_OBJECT`<span style="color: black;">,否则返回</span> NULL</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而在php7.x中,HashTable API大部分被修改,列出1处对比原型如下:(<span style="color: black;">详细</span>见tks官方wiki)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">- if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key)+1, (void**)&zv_ptr) == SUCCESS) { //php5.x</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">+ if ((zv = zend_hash_find(ht, Z_STR_P(key))) != NULL) { //php7.x</span></p><h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">操作</span><span style="color: black;">总结</span><span style="color: black;">:</span></strong></span></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">接下来<span style="color: black;">思虑</span>的事情是<span style="color: black;">怎样</span>把以上枯燥无趣变成一件有趣的事情。并且做出2个demo,2个更<span style="color: black;">拥有</span>实战性的backdoor</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1.php7.x 劫持_POST,<span style="color: black;">或</span>_GET等,执行任意php code(临时<span style="color: black;">运用</span>标签)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2.php7.x hook phpinfo,来<span style="color: black;">隐匿</span>一句话(临时<span style="color: black;">运用</span>标签)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3.<span style="color: black;">怎样</span>构造php全版本的backdoor(公共或项目backdoor思想)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.关于第三方框架的嵌入。(<span style="color: black;">连续</span>性标签)</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">做为</span>demo1,设计出php7.x backdoor</p>以info.php 为demo,内容如下:<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqczlZsascKZueozSHcib2mQpdMibEKcXrDDzgBIaox0BERgFkX4mWkhicpbBLBwhQXuFJeqIvEE5WcPQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">拜访</span>任意php页面,带有post参数micropoor_php,则执行任意代码。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqczlZsascKZueozSHcib2mQphXoP8SAcnpEicy4yzSYIAj0EUnCGkicJ2FMN0SmJ9XlyPGPia6b5bjobA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">菜刀配置:</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">填写自定义code </p>下载<span style="color: black;">位置</span>: linux php 7.x_x64_backdoor<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://drive.google.com/file/d/1WkQInZQ53PHe104MKHqFOG_-ydCZh4lN/view?usp=sharing</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">更加多</span>有趣的实验:</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">做为</span>demo2,劫持phpinfo();,使得一句话后门为 </p>demo3,无缝支持第三方框架。嵌入C payload,并sharing port 80.<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">参考致谢:</span></strong></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">http://php.webtutor.pl/</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://wiki.php.net/phpng-upgrading</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://www.jianshu.com/p/32fdad9be6c8</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://github.com/pangudashu/php7-internal/</span></p><h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">附录:</span></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x x64 backdoor for linux</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">public_x64.so</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Size: 26800 bytes</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">MD5: 1C21BD02D26E9A3914A9A7248B799715</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SHA1: 934D577EDBCBC6FEB93AA52DE2C195BE59269B77</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CRC32: 8145921D</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">备注:public_x64.so仅适用x64位</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x for Linux 的Microdoor。不适用其他版本。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">为防止原文件被篡改,<span style="color: black;">运用</span>前,请对比文件MD5值。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">所有Microdoor系列仅供学习。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://drive.google.com/file/d/1qDYcGuODAUOWF8rKGw4okQ34TyBK9vBh/view?usp=sharing</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x x32 backdoor for linux</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">public_x32.so</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Size: 26127 bytes</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">MD5: 9BF67665FDCB30C355358624DBEB79BB</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SHA1: 3E996D33F18C1E34600203E8C348988449865888</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CRC32: 54264834</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">备注:public_x32.so仅适用x32位</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x for Linux的Microdoor。不适用其他版本。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">为防止原文件被篡改,<span style="color: black;">运用</span>前,请对比文件MD5值。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqeG05W23YjpXNKPFGKO3wzJG4bvVLbFuia2KvG7hg04opnb5YxvJVQQN6ibncASzEdhoE1LkbaEG1Sw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><span style="color: black;">↙↙↙ 点击 ”阅读原文“ 与作者展开<span style="color: black;">专题</span>探讨,直面交流。</span> 系统提示我验证码错误1500次 \~゛, 外贸网站建设方法 http://www.fok120.com/ 期待与你深入交流,共探知识的无穷魅力。
页:
[1]